ASA question

Answered Question
Nov 18th, 2008

Looking at a sample configuration, at:

http://www.cisco.com/en/US/partner/products/ps6120/products_configuration_example09186a0080624e19.shtml

Seems they are updating the outside access-list in order for the inside hosts to telnet, and ssh to outside. I was under impression that this update should be done on the inside interface. Is this new on ASA? because on pix it was done on the inside acl as of 7.0, and before you did not use to need any access update to go from inside to outside.

I have this problem too.
0 votes
Correct Answer by Farrukh Haroon about 8 years 2 months ago

The access-list mentioned in that document is 'optional'. You can very well skip it (depending on your security policy).

By default all higher >> lower communication is allowed. However once you do make an access-list on the higher interface the implicit 'deny ip any any' at the end of the ACL kicks in. You have to design your ACL based on that rule. As you know, the same is true for 'all' interfaces on a router. By default all is allowed, but once you put an ACL.....the deny ip any any at the end comes into effect.

The document is just mentioning that ACL as a security best practice. The ACL for MPF is required tough (outside_mpc).

Please rate if helpful.

Regards

Farrukh

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Loading.
cpembleton Wed, 11/19/2008 - 19:27

I could not access the link posted to see what it's trying to do.

But the ASA follows the same rules. Traffic flowing from a higher level inf to lower inf is permitted by default. "All things being equal"

Update post with working link so everyone can see it.

HTH

Chad

Correct Answer
Farrukh Haroon Wed, 11/19/2008 - 20:11

The access-list mentioned in that document is 'optional'. You can very well skip it (depending on your security policy).

By default all higher >> lower communication is allowed. However once you do make an access-list on the higher interface the implicit 'deny ip any any' at the end of the ACL kicks in. You have to design your ACL based on that rule. As you know, the same is true for 'all' interfaces on a router. By default all is allowed, but once you put an ACL.....the deny ip any any at the end comes into effect.

The document is just mentioning that ACL as a security best practice. The ACL for MPF is required tough (outside_mpc).

Please rate if helpful.

Regards

Farrukh

sansari Thu, 11/20/2008 - 05:34

Hi Chad,

Not sure what is going on with the link. I just clicked on it, and took me to the document, would you try again please? I did have to log into my Cisco accout. The other way to get to it is by searching for the title, which is: "PIX/ASA 7.x and later/FWSM: Set SSH/Telnet/HTTP Connection Timeout using MPF Configuration Example".

Regards-

Sean

Actions

This Discussion