Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
494
Views
3
Helpful
4
Replies

ASA question

Go to solution
sansari
Level 1
Level 1

‎11-18-2008 08:20 AM - edited ‎03-11-2019 07:14 AM

Looking at a sample configuration, at:

http://www.cisco.com/en/US/partner/products/ps6120/products_configuration_example09186a0080624e19.shtml

Seems they are updating the outside access-list in order for the inside hosts to telnet, and ssh to outside. I was under impression that this update should be done on the inside interface. Is this new on ASA? because on pix it was done on the inside acl as of 7.0, and before you did not use to need any access update to go from inside to outside.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Farrukh Haroon
VIP Alumni
VIP Alumni
In response to cpembleton

‎11-19-2008 08:11 PM

The access-list mentioned in that document is 'optional'. You can very well skip it (depending on your security policy).

By default all higher >> lower communication is allowed. However once you do make an access-list on the higher interface the implicit 'deny ip any any' at the end of the ACL kicks in. You have to design your ACL based on that rule. As you know, the same is true for 'all' interfaces on a router. By default all is allowed, but once you put an ACL.....the deny ip any any at the end comes into effect.

The document is just mentioning that ACL as a security best practice. The ACL for MPF is required tough (outside_mpc).

Please rate if helpful.

Regards

Farrukh

View solution in original post

0 Helpful
4 Replies 4

Go to solution
cpembleton
Level 4
Level 4

‎11-19-2008 07:27 PM

I could not access the link posted to see what it's trying to do.

But the ASA follows the same rules. Traffic flowing from a higher level inf to lower inf is permitted by default. "All things being equal"

Update post with working link so everyone can see it.

HTH

Chad

0 Helpful

Go to solution
Farrukh Haroon
VIP Alumni
VIP Alumni
In response to cpembleton

‎11-19-2008 08:11 PM

The access-list mentioned in that document is 'optional'. You can very well skip it (depending on your security policy).

By default all higher >> lower communication is allowed. However once you do make an access-list on the higher interface the implicit 'deny ip any any' at the end of the ACL kicks in. You have to design your ACL based on that rule. As you know, the same is true for 'all' interfaces on a router. By default all is allowed, but once you put an ACL.....the deny ip any any at the end comes into effect.

The document is just mentioning that ACL as a security best practice. The ACL for MPF is required tough (outside_mpc).

Please rate if helpful.

Regards

Farrukh

0 Helpful

Go to solution
sansari
Level 1
Level 1
In response to cpembleton

‎11-20-2008 05:34 AM

Hi Chad,

Not sure what is going on with the link. I just clicked on it, and took me to the document, would you try again please? I did have to log into my Cisco accout. The other way to get to it is by searching for the title, which is: "PIX/ASA 7.x and later/FWSM: Set SSH/Telnet/HTTP Connection Timeout using MPF Configuration Example".

Regards-

Sean

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to sansari

‎11-20-2008 05:42 AM

Just as an aside. The link you posted has /partner/ in the URL. If you just remove that bit it will work for all of us :-)

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080624e19.shtml

Obviously it doesn't work with every URL as partners have access to some information that others don't.

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card