Solved: ASA 5510 7.2(3) - Access List Question

jwilson · ‎11-21-2011

Greetings,

I'm running a Cisco ASA 5510 with version 7.2(3) and I've been tasked with permitting some inbound & outbound TCP & UDP ports to/from a specified address space on the internet.

I'm still a Cisco noob and all the training resources I've gone through cover access lists on a router, but not on an ASA, and particularly an older version such as 7.2. I'm reaching out here in hopes that I can find some guidance so I won't destroy all communication on my network, hah.

In looking at my current ASA config I see other access lists already configured so I'm assuming I can just set up a new access list in similar fashion, but I wanted to verify here first.

Anyone care to lend their expertise?

JohnTylerPearce · ‎11-21-2011

On an ASA your interfaces are assigned security levels. These security levels indicate the trustworthniess of the interface from another interface. Security Levels are from 0 to 100. By default, your inside interface will have a security level of 100 and your outside interface will have a security level of 100. That leaves you with 1 - 99 to use for what ever purpose you want.

1. A higher-security level interface can always access a lower-security level interface (unless specifically blocked by ACL)

2. A lower-security level interface will need specific entries in an ACL to access a higher-security level interface.

3. Interfaces with the same security-level cannot talk to one another by default (although it is possible).

Example 1:

Allow host 100.1.1.1 access to a web server on the inside network

access-list inside_access_in permit tcp host 100.1.1.1 host 192.168.5.10 eq 80

access-group inside_access_in in outside

This will allow host 100.1.1.1 on the outside access to 192.168.5.10 (Web Server) via port 80.

You also, need to remember where traffic is initiated from. Generally, your you will have your outbound wide open, and return traffic will be granted from traffic that was initiated from inside the ASA, or you will need to have a specific entry in an ACL.

Example 2:

You have a DMZ network with security-level 50 and a inside network with security-level 100.

By default, the inside interfac will be able to access anything on the DMZ network. But for the DMZ traffic initiated from DMZ to the inside interface you will need a ACL entry.

Where traffic is initiated from is very important.

Hope that helped.

View solution in original post

andrew.prince · ‎11-21-2011

ACL's are relativly the same on the ASA as they are on routers, but more specific. You just need to remember the traffic flow and the basic rules.

1) All traffic will flow from a higher security interface to a lower security interface by default.

2) All traffic will be blocked from a lower security interface to a higher security interface by default.

3) You must specifically state which traffic (by ACL) is allowed in the case of point 2

HTH>

JohnTylerPearce · ‎11-21-2011

On an ASA your interfaces are assigned security levels. These security levels indicate the trustworthniess of the interface from another interface. Security Levels are from 0 to 100. By default, your inside interface will have a security level of 100 and your outside interface will have a security level of 100. That leaves you with 1 - 99 to use for what ever purpose you want.

1. A higher-security level interface can always access a lower-security level interface (unless specifically blocked by ACL)

2. A lower-security level interface will need specific entries in an ACL to access a higher-security level interface.

3. Interfaces with the same security-level cannot talk to one another by default (although it is possible).

Example 1:

Allow host 100.1.1.1 access to a web server on the inside network

access-list inside_access_in permit tcp host 100.1.1.1 host 192.168.5.10 eq 80

access-group inside_access_in in outside

This will allow host 100.1.1.1 on the outside access to 192.168.5.10 (Web Server) via port 80.

You also, need to remember where traffic is initiated from. Generally, your you will have your outbound wide open, and return traffic will be granted from traffic that was initiated from inside the ASA, or you will need to have a specific entry in an ACL.

Example 2:

You have a DMZ network with security-level 50 and a inside network with security-level 100.

By default, the inside interfac will be able to access anything on the DMZ network. But for the DMZ traffic initiated from DMZ to the inside interface you will need a ACL entry.

Where traffic is initiated from is very important.

Hope that helped.

jwilson · ‎11-21-2011

Thanks to the pair of you for the quick responses.

Three follow-up questions if you'll humor me:

1. John, in your example -

access-list inside_access_in permit tcp host 100.1.1.1 host 192.168.5.10 eq 80

access-group inside_access_in in outside

Are these items in bold just a variable name for the access list? The training materials I'm studying use a numbering system to identify access lists, so I'm just wondering if the ASA (or older IOS) uses this variable name identifier.

2. The current configuration was performed by my predecessor and it appears he's already set up some access lists. I've copied the following lines from his config -

access-list INCOMING-TRAFFIC extended permit tcp host **.**.**.** host ##.##.##.## eq 1024

access-group INCOMING TRAFFIC in interface outside

Where the IP address noted in ## is the public address of my router, could I substitute "any" instead of the host address of my router?

3. Some of the access lists configured have a subnet mask following the public IP address being allowed and others don't. Any pros/cons to this?

cadet alain · ‎11-21-2011

Hi,

1) yes these are the names of the ACL, you could use a number if you wished to but this easier to undesrstand what it does with a well chosen name.

2) you could but you must be most specific as you can for security reasons

3) the network mask are like the wildcard mask in IOS ACLs to specify a range of adresses

Regards.

Alain

Don't forget to rate helpful posts.

JohnTylerPearce · ‎11-21-2011

If you're talking about "host 10.10.10.1" that basically means "10.10.10.1 255.255.255.255". The host keyword automatically

includes the 255.255.255.255 so to speak. You can also give a specific IP address a name.

The one thing I would caution you on is, PLEASE make sure to not use names for everything. It can get very confusing and

time consuming, when you're trying to see what an entry in an ACL does, and it's nothing but names. You then have to look up what the actual name is. My predessor did that, and it's soooooo anonying.

For example: access-list blah permit ip Saturn Pluto

It gets anonying, because, if you don't know what those are you have to look them up. Now, there is nothing wrong with using names just try to make them as plain as you can, and as necessary.

You can also create object-group's which group together like items.

Let's say you wanted to allow in several networks from the outside into a server on the inside.

object-group network Access-WebServer

network-object 100.1.1.0 255.255.255.0

network-object 100.1.2.0 255.255.255.0

network-object 100.1.3.0 255.255.255.0

network-object 100.1.4.0 255.255.255.0

access-list outside_access_in permit ip object-group Access-WebServer host 192.168.10.1

If you do a 'object-group ?' You will see you can create all kinds of object groups for Networks, Protocols, Services such as TCP/UDP" etc.

jwilson · ‎11-23-2011

Wanted to thank you all again for the information. Very helpful!