Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASA Config Question

We recently had a new ASA installed and configured by a contractor.  I have been looking through the configs and I had a question that may have a simple explanation.  Below is a sample of the config. 

access-list outside-entry extended permit ip host 16.143.99.105 any

access-list outside-entry extended permit ip host 16.143.99.106 any

access-list outbound_access extended permit ip 16.143.0.0 255.255.0.0 any

access-list outbound_access extended permit ip any any

access-list outside_entry extended permit ip any any

access-list outside extended permit ip any host 16.143.99.105

access-list outside extended permit ip any host 16.143.99.106

access-group outside in interface outside

access-group outbound_access in interface inside

access-group outside_entry in interface dmz

My question relates to the outside-entry access list and the outside_entry access list.  The outside-entry access list is not tied to any interface so are any rules associated with it even being adhered to?  With every address in the outside-entry access list also in the outside access list, it would seem that any traffic can come straight through without even hitting my DMZ.  Should the outside-entry access list actually be called the outside_entry access list?  Was a mistake made with the naming?  Any clarification on this would be appreciated.  Having that outside-entry access list not associated with an interface is confusing me.  Thank you in advance for the assistance!

4 REPLIES

ASA Config Question

access-group outside in interface outside

access-list outside extended permit ip any host 16.143.99.105

access-list outside extended permit ip any host 16.143.99.106

(This will allow anything outside to reach these two host 105 & 106 on any port)

access-group outbound_access in interface inside

access-list outbound_access extended permit ip 16.143.0.0 255.255.0.0 any

access-list outbound_access extended permit ip any any

(From inside zone whole subnet can go out)

access-group outside_entry in interface dmz

access-list outside_entry extended permit ip any any

(DMZ is allowed to communicate outside without any restriction)

outside-entry ACL is there but not applied to any interface mean no use.

Thanks

Ajay

Community Member

ASA Config Question

Hi Ajay,

From security point view is access-list   -----  permit ip any any is not recomded na ?

ASA Config Question

Yes permit any any should not be there.

Community Member

ASA Config Question

Thanks for the reply Ajay.  I figured out that's what those commands did.  I'm just confused as to what the outside-entry access list is actually doing.  It's not assigned to an inteface so I don't believe it's actually doing anything.  Those commands are useless.  Is that correct as far as you know?  Thanks again for the help!

238
Views
0
Helpful
4
Replies
CreatePlease to create content