cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
574
Views
0
Helpful
5
Replies

Access Lists

mfruvous
Level 1
Level 1

Hello,

I am a Cisco ASA newbie. I am having trouble grasping ACL concepts. We will want all outbound traffic from LAN to WAN blocked; except as we see fit to allow. I understand by default all traffic is allowed to the less secure interface. Do I understand this correctly that as soon as I apply an ACL to internal interface all other traffic will be blocked because of an implied deny statement that will then be in force by default? That the "other" traffic we want to block will never reach the implicit permit rule as long as that rule is not applied first?

Thanks,

Andrea

1 Accepted Solution

Accepted Solutions

Andrea

"Once I am done creating the ACL I want to allow out, I create the deny rule?"

You can if you want but if you don't there is an implicit deny anyway. I suspect the "implicit permit" you are seeing is because by default all traffic is allowed from a higher to lower security interface. Once you apply an acl to that higher interface then the implicit permit should not be relevant.

As for the acl

access-list inside_out permit tcp any any eq 80

access-list inside_out permit tcp any any eq 443

access-list inside_out_1 permit tcp any any eq 80

access-list inside_out_1 permit tcp any any eq 443

access-list inside_out_1 deny ip any any

both of the above acls do the same thing ie.

they allow http and https traffic from inside to outside and then deny everything else. The only difference is that the first acl "inside_out" relies on an implicit deny at the end of the acl ie. you don't specifically enter it and with the second acl "inside_out_1" you explicitly add the "deny ip any any" line.

When you do a "sh access-list" inside_out_1 will also show you how many hits have been dropped on the "deny ip any any" line whereas you wouldn't see this with the first acl "inside_out".

Jon

View solution in original post

5 Replies 5

Jon Marshall
Hall of Fame
Hall of Fame

Andrea

Your overall understanding is correct altho i'm not 100% sure what you mean by -

"That the "other" traffic we want to block will never reach the implicit permit rule as long as that rule is not applied first?"

there is no implicit permit rule. What you would do is create an acl that has all the permit statements allowing only the traffic you want.

If you then apply that acl to the inside interface only the traffic you have permitted will be allowed through. Any other traffic you have no written an explicit permit rule for will be dropped by the implicit deny any rule.

Jon

Jon,

I am viewing the rules in ASDM 6.2. I have attached what the default rules look like in ASDM. That's where I got "implicit permit." But, I think I get it... Once I am done creating the ACL I want to allow out, I create the deny rule?

Thank you very much for you help,

Andrea

Andrea

"Once I am done creating the ACL I want to allow out, I create the deny rule?"

You can if you want but if you don't there is an implicit deny anyway. I suspect the "implicit permit" you are seeing is because by default all traffic is allowed from a higher to lower security interface. Once you apply an acl to that higher interface then the implicit permit should not be relevant.

As for the acl

access-list inside_out permit tcp any any eq 80

access-list inside_out permit tcp any any eq 443

access-list inside_out_1 permit tcp any any eq 80

access-list inside_out_1 permit tcp any any eq 443

access-list inside_out_1 deny ip any any

both of the above acls do the same thing ie.

they allow http and https traffic from inside to outside and then deny everything else. The only difference is that the first acl "inside_out" relies on an implicit deny at the end of the acl ie. you don't specifically enter it and with the second acl "inside_out_1" you explicitly add the "deny ip any any" line.

When you do a "sh access-list" inside_out_1 will also show you how many hits have been dropped on the "deny ip any any" line whereas you wouldn't see this with the first acl "inside_out".

Jon

Jon,

Thank you so much. You have clarified this for me. I come from a Watchguard background. The learning curve is large.

Thank you again,

Andrea

Andrea

No problem, glad to have helped and thank you for the rating.

As for the learning curve, i'm afraid a lot of Cisco products can take a bit of time to get the hang off. But feel free to post in these forums as there are a lot of knowledgeable people who will be only too happy to help.

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: