Implicit Behavioral Differences
From DocWiki
(Difference between revisions)
(Re-worded description of FWSM implicit deny for clarity.) |
|||
| Line 7: | Line 7: | ||
|- | |- | ||
| Implicit Deny | | Implicit Deny | ||
| - | | | + | | By default, implicit deny for all IP traffic between interfaces, regardless of security level. |
| Implicit permit from high security to low security interfaces. | | Implicit permit from high security to low security interfaces. | ||
|- | |- | ||
Latest revision as of 01:11, 7 May 2010
Implicit Behavioral Differences
The following table lists the implicit behavioral differences between FWSM and ASA.
| Implicit Behavior | Behavior in FWSM | Behavior in ASA |
|---|---|---|
| Implicit Deny | By default, implicit deny for all IP traffic between interfaces, regardless of security level. | Implicit permit from high security to low security interfaces. |
| ICMP to-the-box deny | Implicit ICMP deny to the interface. | Implicit permit. |
| NAT matching for statistics | Static NAT and static PAT (regular and policy static command) -- Best Match. In the case of overlapping address in the static statements, a warning is displayed, but they are supported. The order of static commands does not matter; the static statement that best matches the real address is used. | Static NAT and static PAT (regular and policy static command) -- In order until the first match. |
