Access-list in ASA firewall

Unanswered Question
Jan 9th, 2010

I have a very simple ASA5505 running code 8.2.1 with "inside" and "outside" interface.  I have "no nat-control" in the configuration.

By default, inside network can have unrestricted access to outside network.  If so, are the two scenarios below the same?

scenario #1:

interface e1

nameif inside

security level 100

ip address 192.168.1.1 255.255.255.0

scenario #2:

interface e1

nameif inside

security level 100

ip address 192.168.1.1 255.255.255.0

access-list test permit ip any any log

access-group test in interface inside

Does it mean that "ALL" traffics are allowed to go through the inside interface in both scenarios?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
vilaxmi Sat, 01/09/2010 - 12:03

YES, the above two scenarios are same.

By default on any Cisco firewall traffic from higher-security level ifc TO a lower-security level is allowed, as long as there is a NAT rule for the traffic. Since in your case you have disabled NAT (no nat-control) traffic will pass anyways from sec-level 100 to sec-level anything lower than 100.

NOTE : name of if as inside or outside is only conventional. What matters most is the sec-levels of ifc.

HTH

Vijaya

Jon Marshall Sat, 01/09/2010 - 13:09

cciesec2011 wrote:

I have a very simple ASA5505 running code 8.2.1 with "inside" and "outside" interface.  I have "no nat-control" in the configuration.

By default, inside network can have unrestricted access to outside network.  If so, are the two scenarios below the same?

scenario #1:

interface e1

nameif inside

security level 100

ip address 192.168.1.1 255.255.255.0

scenario #2:

interface e1

nameif inside

security level 100

ip address 192.168.1.1 255.255.255.0

access-list test permit ip any any log

access-group test in interface inside

Does it mean that "ALL" traffics are allowed to go through the inside interface in both scenarios?

Vijaya is correct in that to all intents and purposes it allows all traffic from the inside to the outside.

However without wishing to be too pedantic, they are not equivalent on the effect on the firewall. With an acl applied the ASA has to check each packet against this acl. In addition, if you have told the firewall to log each entry that will use more resources.

So in terms of effect on the actual ASA they are not the same but in terms of traffic allowed they are.

Jon

cciesec2011 Sat, 01/09/2010 - 15:05

Ok, let me ask the question a little bit differently.  With regarding to the ACL on the ASA firewall:

scenario #1:

access-list test permit ip any any log

access-group test in interface inside

scenario #2:

access-list test permit ospf any any log

access-list test permit gre any any log

access-list test permit eigrp any any log

access-list test permit ip any any log

access-group test in interface inside

Does it mean that ALL traffics will be allowed to traverse the inside interface in both scenarios?

vilaxmi Sat, 01/09/2010 - 20:35

Hello,

Whenever a packet reaches an ifc on the firewall, it is checked against the ACLs applied to the ifc its entering/leaving (depending on how the ACL is applied to the ifc) sequentially in a TOP DOWN approach.

BOTH scenarios remain same, and  yes, I agree that  on 2nd scenario, it does mean that firewall does a lot more packet check (against more number of ACLs). That may mean a little more usage of resources.

So, anyways, as long as at the bottom of the list you have a permit ip any any ACE, then ALL IP traffic entering (SINCE the access-list was applied in the IN direction of inside ifc) inside ifc WILL BE ALLOWED.

As per my knowledge , the limit of ACEs which you can put in any firewall is quite high (I don't have the numbers on top of my mind though ). It obviously depends on the plaform you own, higher end boxes will have higher limits due to their capabilities (hardware).

HTH

Vijaya

Kent Heide Sun, 01/10/2010 - 12:37

Scenario #1 will not permit gre traffic since that uses IP protocol 47 and needs to be explicitly allowed with `access-list test ext permit GRE....`

You're #1 ACL only permits ip protocol traffic. OSPF and EIGRP uses multicast so they will be permitted by the permit ip ACL.

Actions

This Discussion