cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1710
Views
0
Helpful
6
Replies

Access-list in ASA firewall

cciesec2011
Level 3
Level 3

I have a very simple ASA5505 running code 8.2.1 with "inside" and "outside" interface.  I have "no nat-control" in the configuration.

By default, inside network can have unrestricted access to outside network.  If so, are the two scenarios below the same?

scenario #1:

interface e1

nameif inside

security level 100

ip address 192.168.1.1 255.255.255.0

scenario #2:

interface e1

nameif inside

security level 100

ip address 192.168.1.1 255.255.255.0

access-list test permit ip any any log

access-group test in interface inside

Does it mean that "ALL" traffics are allowed to go through the inside interface in both scenarios?

6 Replies 6

vilaxmi
Cisco Employee
Cisco Employee

YES, the above two scenarios are same.

By default on any Cisco firewall traffic from higher-security level ifc TO a lower-security level is allowed, as long as there is a NAT rule for the traffic. Since in your case you have disabled NAT (no nat-control) traffic will pass anyways from sec-level 100 to sec-level anything lower than 100.

NOTE : name of if as inside or outside is only conventional. What matters most is the sec-levels of ifc.

HTH

Vijaya

Jon Marshall
Hall of Fame
Hall of Fame

cciesec2011 wrote:

I have a very simple ASA5505 running code 8.2.1 with "inside" and "outside" interface.  I have "no nat-control" in the configuration.

By default, inside network can have unrestricted access to outside network.  If so, are the two scenarios below the same?

scenario #1:

interface e1

nameif inside

security level 100

ip address 192.168.1.1 255.255.255.0

scenario #2:

interface e1

nameif inside

security level 100

ip address 192.168.1.1 255.255.255.0

access-list test permit ip any any log

access-group test in interface inside

Does it mean that "ALL" traffics are allowed to go through the inside interface in both scenarios?

Vijaya is correct in that to all intents and purposes it allows all traffic from the inside to the outside.

However without wishing to be too pedantic, they are not equivalent on the effect on the firewall. With an acl applied the ASA has to check each packet against this acl. In addition, if you have told the firewall to log each entry that will use more resources.

So in terms of effect on the actual ASA they are not the same but in terms of traffic allowed they are.

Jon

Ok, let me ask the question a little bit differently.  With regarding to the ACL on the ASA firewall:

scenario #1:

access-list test permit ip any any log

access-group test in interface inside

scenario #2:

access-list test permit ospf any any log

access-list test permit gre any any log

access-list test permit eigrp any any log

access-list test permit ip any any log

access-group test in interface inside

Does it mean that ALL traffics will be allowed to traverse the inside interface in both scenarios?

YES

Hello,

Whenever a packet reaches an ifc on the firewall, it is checked against the ACLs applied to the ifc its entering/leaving (depending on how the ACL is applied to the ifc) sequentially in a TOP DOWN approach.

BOTH scenarios remain same, and  yes, I agree that  on 2nd scenario, it does mean that firewall does a lot more packet check (against more number of ACLs). That may mean a little more usage of resources.

So, anyways, as long as at the bottom of the list you have a permit ip any any ACE, then ALL IP traffic entering (SINCE the access-list was applied in the IN direction of inside ifc) inside ifc WILL BE ALLOWED.

As per my knowledge , the limit of ACEs which you can put in any firewall is quite high (I don't have the numbers on top of my mind though ). It obviously depends on the plaform you own, higher end boxes will have higher limits due to their capabilities (hardware).

HTH

Vijaya

Scenario #1 will not permit gre traffic since that uses IP protocol 47 and needs to be explicitly allowed with `access-list test ext permit GRE....`

You're #1 ACL only permits ip protocol traffic. OSPF and EIGRP uses multicast so they will be permitted by the permit ip ACL.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: