currently we have an external address
that is nat'd internally
the external address has a rule on the outside interface of our fw
permit any "xternal" address ip
the server is in our dmz...
however, the server is wide open in to the internet....SSH is allowed right now..which is bad.
The only protocol that is needed is http.
So i changed the rule to permit
any "external address" tcp http
however when i made the change..
I lost access to the web pages on the server..
Whats odd is i dont see a rule to permit
HTTP currently on the outside interface..but HTTP is accessible along with SSH.
Our core fw will have rules for the nat'd
internal address..could rules on this be the issue?
The IP any rule will allow any UDP or TCP connections. So if an access-list sees any UDP or TCP PDUs it will know it is IP.
Reason: As a PDU (Protocol Data Unit) is processed, the following basically occurs. The PDU is made up of various levels of encapsulation. The frame, or layer 2 PDU has a header and footer (which encapsulate a payload). The frame is processed by the asa by stripping the frame header and footer from the payload. The layer 2 payload is made up of the layer 3 PDU. The layer 3 PDU (or IP packet) is then processed. Within the header of the IP packet there is a protocol field which tells the device what format the layer 3 payload will be in. The protocol field can be any of the protocols listed in this page: http://www.iana.org/assignments/protocol-numbers/
As you can see, there are a lot of different protocols (possibly up to 255 if you go by the binary 2^8). TCP and UDP are only two out of that list.
When you do a permit ip any any, the ASA permits ALL of the protocols listed in that page. I am unsure as to the exact mechanics, but my guess would be that it doesn't even look at the protocol field in the IP header.
When you specify a tcp protocol in the access list, the asa will look at the layer 3 payload, which encompasses the TCP header. It ensures the protocol field in the IP header is set to 6 (or 00000110) and then it checks the port numbers in the TCP once the IP header is processed.
In short, if you specify tcp in an ACL, ONLY protocol 6 in an IP header will be allowed, if you specify ip in an ACL then ALL possible protocols in the protocol field will be accepted.
I hope that helps :)
If it does, can you please rate?