ASA question

Answered Question
Nov 18th, 2008
User Badges:

Looking at a sample configuration, at:

http://www.cisco.com/en/US/partner/products/ps6120/products_configuration_example09186a0080624e19.shtml

Seems they are updating the outside access-list in order for the inside hosts to telnet, and ssh to outside. I was under impression that this update should be done on the inside interface. Is this new on ASA? because on pix it was done on the inside acl as of 7.0, and before you did not use to need any access update to go from inside to outside.

Correct Answer by Farrukh Haroon about 8 years 6 months ago

The access-list mentioned in that document is 'optional'. You can very well skip it (depending on your security policy).


By default all higher >> lower communication is allowed. However once you do make an access-list on the higher interface the implicit 'deny ip any any' at the end of the ACL kicks in. You have to design your ACL based on that rule. As you know, the same is true for 'all' interfaces on a router. By default all is allowed, but once you put an ACL.....the deny ip any any at the end comes into effect.


The document is just mentioning that ACL as a security best practice. The ACL for MPF is required tough (outside_mpc).


Please rate if helpful.


Regards


Farrukh

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Loading.
cpembleton Wed, 11/19/2008 - 19:27
User Badges:
  • Silver, 250 points or more

I could not access the link posted to see what it's trying to do.


But the ASA follows the same rules. Traffic flowing from a higher level inf to lower inf is permitted by default. "All things being equal"


Update post with working link so everyone can see it.


HTH

Chad

Correct Answer
Farrukh Haroon Wed, 11/19/2008 - 20:11
User Badges:
  • Red, 2250 points or more

The access-list mentioned in that document is 'optional'. You can very well skip it (depending on your security policy).


By default all higher >> lower communication is allowed. However once you do make an access-list on the higher interface the implicit 'deny ip any any' at the end of the ACL kicks in. You have to design your ACL based on that rule. As you know, the same is true for 'all' interfaces on a router. By default all is allowed, but once you put an ACL.....the deny ip any any at the end comes into effect.


The document is just mentioning that ACL as a security best practice. The ACL for MPF is required tough (outside_mpc).


Please rate if helpful.


Regards


Farrukh

sansari Thu, 11/20/2008 - 05:34
User Badges:

Hi Chad,

Not sure what is going on with the link. I just clicked on it, and took me to the document, would you try again please? I did have to log into my Cisco accout. The other way to get to it is by searching for the title, which is: "PIX/ASA 7.x and later/FWSM: Set SSH/Telnet/HTTP Connection Timeout using MPF Configuration Example".

Regards-

Sean

Jon Marshall Thu, 11/20/2008 - 05:42
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Just as an aside. The link you posted has /partner/ in the URL. If you just remove that bit it will work for all of us :-)


http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080624e19.shtml


Obviously it doesn't work with every URL as partners have access to some information that others don't.


Jon

Actions

This Discussion