08-04-2009 01:35 PM - edited 03-11-2019 09:02 AM
I have seen in a manual that you can use "interface (interface name)" as the source/destination in an ACL on the ASA. When would you do this? What exactly does it buy you i.e. what does it really give access to?
Exmple
access-list dmz permit tcp interface dmz host 10.1.1.1 eq http
What is actually getting access to 10.1.1.1 on port 80?
Thanks
Joel G.
08-04-2009 03:43 PM
Joel,
Let me give u a complete example :
You have a server on inside of f/w which ppl need to access from outside.
you wnat to use f/w outside interface public ip address for this purpose.
as you cannot map the outside interface ip to an internal server,you would need a static pat command.let's assume it's a web server.
static (inside,outside) tcp interface 80 192.168.5.16 80
inside server's actual ip : 192.168.5.16
now,along with this static pat,you would need to allow port 80 specifically for " any " source and interface ip address as destination.
in this case,rather then mentioning interface ip add. in acl,use the interface keyword.
access-l outside_in permit tcp any interface outside eq 80
acecss-g outside_in in inter outside.
hTh
Sushil
TAC
08-05-2009 11:51 AM
Thank You. That example with "interface as the destination I understand, but where would you use the "interface" parameter as the source such as on a dmz.
Example
access-list DMZ-to-Lan permit tcp interface dmz 10.x.x.x eq ldap
Thanks
Joel
08-05-2009 12:22 PM
Joel,
Actually, it's the same concept. When you have a public address that can change, but you host a web server on the inside, your outside acl needs to allow someone into that address. You don't want to change the address each time your address changes, so you use the interface keyword instead of an address:
static (inside,outside) interface 192.168.1.50
access-list outside permit tcp any interface eq 80
HTH,
John
08-05-2009 12:24 PM
m notsure why u would need an acl where source is interface.
the interface initiated traffic is mostly management traffic and we do not restrict it using acl's.acl's are used for traffic passing THROUGH the f/w,not TO or FROM it.
i have never come across a situation wherein source is specified as interface ip.....
08-05-2009 12:33 PM
Thank everyone for the examples. I understand why you would use this as the destination especially if you were using DSL where the outside interface could change. But using it as the source still has me stumped. The reason I ask it that we are moving a DMZ from one company to ours and the access-list for their dmz has such statements in it.
Joel G.
08-05-2009 12:36 PM
m pretty sure there won 't be any hitcounts on that acl.
check
sh access-l
08-05-2009 12:55 PM
According to your example,
access-list DMZ-to-Lan permit tcp interface dmz 10.x.x.x eq ldap
Are there any security restrictions on the ldap server that require traffic to come from the address that's assigned to the dmz interface? It *might* be an ldap security thing where they didn't want everything in the dmz talking to it OR they are making requests on behalf of everything in the dmz? Just a thought.
HTH,
John
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide