I have been trying to understand the login in ACL however it is still unclear to me. My setup is security firewall which does not have internet access, all I need is explicitly allow minimum traffic, only what is needed needed.
A sample of my rules looks like this (ASA code 9.8):
access-list dev_access_in extended permit tcp object sysadmin object dev eq ssh
access-list dev_access_in extended deny ip any any
access-list dev_access_out extended permit tcp object dev object sysadmin eq 8086 (influxdb port)
access-list dev_access_out extended deny ip any any
access-list prod_access_in extended permit tcp object sysadmin object dev eq ssh
access-list prod_access_in extended deny ip any any
access-list prod_access_out extended permit tcp object dev object sysadmin eq 8086 (influxdb port)
access-list prod_access_out extended deny ip any any
access-list sysadmin_access_in extended permit tcp object dev object sysadmin eq 8086
access-list sysadmin_access_in extended permit tcp object prod object sysadmin eq 8086
access-list sysadmin_access_in extended deny ip any any
access-list sysadmin_access_out extended permit tcp object sysadmin object dev eq ssh
access-list sysadmin_access_out extended permit tcp object sysadmin object prod eq ssh
access-list sysadmin_access_out extended deny ip any any
i will omit all the access-group settings here, will only show one example:
access-group sysadmin_access_out in interface sysadmin
access-group sysadmin_access_in out interface sysadmin
My example works perfectly, I can explicitly and clearly allow and disallow traffic, however there is a lot of duplicate rules.
Looking at other examples I found online and in my infrastructure, those rules are different and look simpler. I had an impression that Cisco device would be clever and if you tell it once, it will work out itself how to deliver the allowed traffic. Am I doing something bizarre with these ACL rules?
By applying the ruleset both inbound and outbound to the interface you're essentially doubling it. You more than likely only need one direction. Filtering inbound is usually the easier way to go. Imagine yourself sitting on the firewall and traffic coming from a host into the firewall would be filtered inbound. By doing it this way you are filtering closest to the source (best practice). And yes the firewall is smart enough to build holes for return traffic--it's called Stateful Packet Inspection.
But what if for each zone I want to strictly control what can go in and out? For sensitive zone (100) I would allow only one service in, and one other service out. That would mean for another, less sensitive "sysadmin" zone (50) I allow implicitly any connection to come into, and that would sound not as secure as I would expect things to be at the moment.
I would guess "security-level" would come in play here. With implicit "deny any", it should allow incoming traffic from more secure zones into my "sysadmin less secure zone" without me explicitly specifying twice what can come into ?
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...