Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ACL duplicates in case of explicit deny

Dear community

I have been trying to understand the login in ACL however it is still unclear to me. My setup is security firewall which does not have internet access, all I need is explicitly allow minimum traffic, only what is needed needed.

A sample of my rules looks like this (ASA code 9.8):

access-list dev_access_in extended permit tcp object sysadmin object dev eq ssh
access-list dev_access_in extended deny ip any any
access-list dev_access_out extended permit tcp object dev object sysadmin eq 8086 (influxdb port)
access-list dev_access_out extended deny ip any any
access-list prod_access_in extended permit tcp object sysadmin object dev eq ssh
access-list prod_access_in extended deny ip any any
access-list prod_access_out extended permit tcp object dev object sysadmin eq 8086 (influxdb port)
access-list prod_access_out extended deny ip any any
access-list sysadmin_access_in extended permit tcp object dev object sysadmin eq 8086
access-list sysadmin_access_in extended permit tcp object prod object sysadmin eq 8086
access-list sysadmin_access_in extended deny ip any any
access-list sysadmin_access_out extended permit tcp object sysadmin object dev eq ssh
access-list sysadmin_access_out extended permit tcp object sysadmin object prod eq ssh
access-list sysadmin_access_out extended deny ip any any

i will omit all the access-group settings here, will only show one example:

access-group sysadmin_access_out in interface sysadmin
access-group sysadmin_access_in out interface sysadmin

My example works perfectly, I can explicitly and clearly allow and disallow traffic, however there is a lot of duplicate rules.

Looking at other examples I found online and in my infrastructure, those rules are different and look simpler. I had an impression that Cisco device would be clever and if you tell it once, it will work out itself how to deliver the allowed traffic. Am I doing something bizarre with these ACL rules?

3 REPLIES

By applying the ruleset both

By applying the ruleset both inbound and outbound to the interface you're essentially doubling it. You more than likely only need one direction. Filtering inbound is usually the easier way to go. Imagine yourself sitting on the firewall and traffic coming from a host into the firewall would be filtered inbound. By doing it this way you are filtering closest to the source (best practice). And yes the firewall is smart enough to build holes for return traffic--it's called Stateful Packet Inspection.

Community Member

But what if I want to

But what if for each zone I want to strictly control what can go in and out? For sensitive zone (100) I would allow only one service in, and one other service out. That would mean for another, less sensitive "sysadmin" zone (50) I allow implicitly any connection to come into, and that would sound not as secure as I would expect things to be at the moment.

I would guess "security-level" would come in play here. With implicit "deny any", it should allow incoming traffic from more secure zones into my "sysadmin less secure zone" without me explicitly specifying twice what can come into ?

Highlighted

Correct. Higher security

Correct. Higher security zones can talk to lower ones (with or without an ACL). From lower security zones to higher ones, some sort of NAT will need to take place along with an ACL permitting traffic.

113
Views
5
Helpful
3
Replies
CreatePlease to create content