Access Lists

Answered Question

Hello,

I am a Cisco ASA newbie. I am having trouble grasping ACL concepts. We will want all outbound traffic from LAN to WAN blocked; except as we see fit to allow. I understand by default all traffic is allowed to the less secure interface. Do I understand this correctly that as soon as I apply an ACL to internal interface all other traffic will be blocked because of an implied deny statement that will then be in force by default? That the "other" traffic we want to block will never reach the implicit permit rule as long as that rule is not applied first?

Thanks,

Andrea

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 7 years 1 month ago

Andrea

"Once I am done creating the ACL I want to allow out, I create the deny rule?"

You can if you want but if you don't there is an implicit deny anyway. I suspect the "implicit permit" you are seeing is because by default all traffic is allowed from a higher to lower security interface. Once you apply an acl to that higher interface then the implicit permit should not be relevant.

As for the acl

access-list inside_out permit tcp any any eq 80

access-list inside_out permit tcp any any eq 443

access-list inside_out_1 permit tcp any any eq 80

access-list inside_out_1 permit tcp any any eq 443

access-list inside_out_1 deny ip any any

both of the above acls do the same thing ie.

they allow http and https traffic from inside to outside and then deny everything else. The only difference is that the first acl "inside_out" relies on an implicit deny at the end of the acl ie. you don't specifically enter it and with the second acl "inside_out_1" you explicitly add the "deny ip any any" line.

When you do a "sh access-list" inside_out_1 will also show you how many hits have been dropped on the "deny ip any any" line whereas you wouldn't see this with the first acl "inside_out".

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Wed, 10/14/2009 - 12:18

Andrea

Your overall understanding is correct altho i'm not 100% sure what you mean by -

"That the "other" traffic we want to block will never reach the implicit permit rule as long as that rule is not applied first?"

there is no implicit permit rule. What you would do is create an acl that has all the permit statements allowing only the traffic you want.

If you then apply that acl to the inside interface only the traffic you have permitted will be allowed through. Any other traffic you have no written an explicit permit rule for will be dropped by the implicit deny any rule.

Jon

Correct Answer
Jon Marshall Wed, 10/14/2009 - 13:32

Andrea

"Once I am done creating the ACL I want to allow out, I create the deny rule?"

You can if you want but if you don't there is an implicit deny anyway. I suspect the "implicit permit" you are seeing is because by default all traffic is allowed from a higher to lower security interface. Once you apply an acl to that higher interface then the implicit permit should not be relevant.

As for the acl

access-list inside_out permit tcp any any eq 80

access-list inside_out permit tcp any any eq 443

access-list inside_out_1 permit tcp any any eq 80

access-list inside_out_1 permit tcp any any eq 443

access-list inside_out_1 deny ip any any

both of the above acls do the same thing ie.

they allow http and https traffic from inside to outside and then deny everything else. The only difference is that the first acl "inside_out" relies on an implicit deny at the end of the acl ie. you don't specifically enter it and with the second acl "inside_out_1" you explicitly add the "deny ip any any" line.

When you do a "sh access-list" inside_out_1 will also show you how many hits have been dropped on the "deny ip any any" line whereas you wouldn't see this with the first acl "inside_out".

Jon

Jon Marshall Wed, 10/14/2009 - 18:56

Andrea

No problem, glad to have helped and thank you for the rating.

As for the learning curve, i'm afraid a lot of Cisco products can take a bit of time to get the hang off. But feel free to post in these forums as there are a lot of knowledgeable people who will be only too happy to help.

Jon

Actions

This Discussion