Using "interface" as parameter in ASA ACL

Unanswered Question
Aug 4th, 2009
User Badges:

I have seen in a manual that you can use "interface (interface name)" as the source/destination in an ACL on the ASA. When would you do this? What exactly does it buy you i.e. what does it really give access to?

Exmple

access-list dmz permit tcp interface dmz host 10.1.1.1 eq http

What is actually getting access to 10.1.1.1 on port 80?


Thanks

Joel G.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
suschoud Tue, 08/04/2009 - 15:43
User Badges:
  • Gold, 750 points or more

Joel,



Let me give u a complete example :



You have a server on inside of f/w which ppl need to access from outside.



you wnat to use f/w outside interface public ip address for this purpose.



as you cannot map the outside interface ip to an internal server,you would need a static pat command.let's assume it's a web server.




static (inside,outside) tcp interface 80 192.168.5.16 80



inside server's actual ip : 192.168.5.16




now,along with this static pat,you would need to allow port 80 specifically for " any " source and interface ip address as destination.



in this case,rather then mentioning interface ip add. in acl,use the interface keyword.



access-l outside_in permit tcp any interface outside eq 80



acecss-g outside_in in inter outside.



hTh

Sushil

TAC

jogillis Wed, 08/05/2009 - 11:51
User Badges:

Thank You. That example with "interface as the destination I understand, but where would you use the "interface" parameter as the source such as on a dmz.


Example


access-list DMZ-to-Lan permit tcp interface dmz 10.x.x.x eq ldap


Thanks

Joel

John Blakley Wed, 08/05/2009 - 12:22
User Badges:
  • Purple, 4500 points or more

Joel,


Actually, it's the same concept. When you have a public address that can change, but you host a web server on the inside, your outside acl needs to allow someone into that address. You don't want to change the address each time your address changes, so you use the interface keyword instead of an address:


static (inside,outside) interface 192.168.1.50


access-list outside permit tcp any interface eq 80


HTH,

John

suschoud Wed, 08/05/2009 - 12:24
User Badges:
  • Gold, 750 points or more

m notsure why u would need an acl where source is interface.



the interface initiated traffic is mostly management traffic and we do not restrict it using acl's.acl's are used for traffic passing THROUGH the f/w,not TO or FROM it.



i have never come across a situation wherein source is specified as interface ip.....




jogillis Wed, 08/05/2009 - 12:33
User Badges:

Thank everyone for the examples. I understand why you would use this as the destination especially if you were using DSL where the outside interface could change. But using it as the source still has me stumped. The reason I ask it that we are moving a DMZ from one company to ours and the access-list for their dmz has such statements in it.


Joel G.

suschoud Wed, 08/05/2009 - 12:36
User Badges:
  • Gold, 750 points or more

m pretty sure there won 't be any hitcounts on that acl.



check



sh access-l




John Blakley Wed, 08/05/2009 - 12:55
User Badges:
  • Purple, 4500 points or more

According to your example,


access-list DMZ-to-Lan permit tcp interface dmz 10.x.x.x eq ldap


Are there any security restrictions on the ldap server that require traffic to come from the address that's assigned to the dmz interface? It *might* be an ldap security thing where they didn't want everything in the dmz talking to it OR they are making requests on behalf of everything in the dmz? Just a thought.


HTH,

John

Actions

This Discussion