01-09-2010 10:56 AM - edited 03-11-2019 09:55 AM
I have a very simple ASA5505 running code 8.2.1 with "inside" and "outside" interface. I have "no nat-control" in the configuration.
By default, inside network can have unrestricted access to outside network. If so, are the two scenarios below the same?
scenario #1:
interface e1
nameif inside
security level 100
ip address 192.168.1.1 255.255.255.0
scenario #2:
interface e1
nameif inside
security level 100
ip address 192.168.1.1 255.255.255.0
access-list test permit ip any any log
access-group test in interface inside
Does it mean that "ALL" traffics are allowed to go through the inside interface in both scenarios?
01-09-2010 12:03 PM
YES, the above two scenarios are same.
By default on any Cisco firewall traffic from higher-security level ifc TO a lower-security level is allowed, as long as there is a NAT rule for the traffic. Since in your case you have disabled NAT (no nat-control) traffic will pass anyways from sec-level 100 to sec-level anything lower than 100.
NOTE : name of if as inside or outside is only conventional. What matters most is the sec-levels of ifc.
HTH
Vijaya
01-09-2010 01:09 PM
cciesec2011 wrote:
I have a very simple ASA5505 running code 8.2.1 with "inside" and "outside" interface. I have "no nat-control" in the configuration.
By default, inside network can have unrestricted access to outside network. If so, are the two scenarios below the same?
scenario #1:
interface e1
nameif inside
security level 100
ip address 192.168.1.1 255.255.255.0
scenario #2:
interface e1
nameif inside
security level 100
ip address 192.168.1.1 255.255.255.0
access-list test permit ip any any log
access-group test in interface inside
Does it mean that "ALL" traffics are allowed to go through the inside interface in both scenarios?
Vijaya is correct in that to all intents and purposes it allows all traffic from the inside to the outside.
However without wishing to be too pedantic, they are not equivalent on the effect on the firewall. With an acl applied the ASA has to check each packet against this acl. In addition, if you have told the firewall to log each entry that will use more resources.
So in terms of effect on the actual ASA they are not the same but in terms of traffic allowed they are.
Jon
01-09-2010 03:05 PM
Ok, let me ask the question a little bit differently. With regarding to the ACL on the ASA firewall:
scenario #1:
access-list test permit ip any any log
access-group test in interface inside
scenario #2:
access-list test permit ospf any any log
access-list test permit gre any any log
access-list test permit eigrp any any log
access-list test permit ip any any log
access-group test in interface inside
Does it mean that ALL traffics will be allowed to traverse the inside interface in both scenarios?
01-09-2010 08:28 PM
YES
01-09-2010 08:35 PM
Hello,
Whenever a packet reaches an ifc on the firewall, it is checked against the ACLs applied to the ifc its entering/leaving (depending on how the ACL is applied to the ifc) sequentially in a TOP DOWN approach.
BOTH scenarios remain same, and yes, I agree that on 2nd scenario, it does mean that firewall does a lot more packet check (against more number of ACLs). That may mean a little more usage of resources.
So, anyways, as long as at the bottom of the list you have a permit ip any any ACE, then ALL IP traffic entering (SINCE the access-list was applied in the IN direction of inside ifc) inside ifc WILL BE ALLOWED.
As per my knowledge , the limit of ACEs which you can put in any firewall is quite high (I don't have the numbers on top of my mind though ). It obviously depends on the plaform you own, higher end boxes will have higher limits due to their capabilities (hardware).
HTH
Vijaya
01-10-2010 12:37 PM
Scenario #1 will not permit gre traffic since that uses IP protocol 47 and needs to be explicitly allowed with `access-list test ext permit GRE....`
You're #1 ACL only permits ip protocol traffic. OSPF and EIGRP uses multicast so they will be permitted by the permit ip ACL.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide