cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
484
Views
0
Helpful
4
Replies

ASA Config Question

hartsellda
Level 1
Level 1

We recently had a new ASA installed and configured by a contractor.  I have been looking through the configs and I had a question that may have a simple explanation.  Below is a sample of the config. 

access-list outside-entry extended permit ip host 16.143.99.105 any

access-list outside-entry extended permit ip host 16.143.99.106 any

access-list outbound_access extended permit ip 16.143.0.0 255.255.0.0 any

access-list outbound_access extended permit ip any any

access-list outside_entry extended permit ip any any

access-list outside extended permit ip any host 16.143.99.105

access-list outside extended permit ip any host 16.143.99.106

access-group outside in interface outside

access-group outbound_access in interface inside

access-group outside_entry in interface dmz

My question relates to the outside-entry access list and the outside_entry access list.  The outside-entry access list is not tied to any interface so are any rules associated with it even being adhered to?  With every address in the outside-entry access list also in the outside access list, it would seem that any traffic can come straight through without even hitting my DMZ.  Should the outside-entry access list actually be called the outside_entry access list?  Was a mistake made with the naming?  Any clarification on this would be appreciated.  Having that outside-entry access list not associated with an interface is confusing me.  Thank you in advance for the assistance!

4 Replies 4

ajay chauhan
Level 7
Level 7

access-group outside in interface outside

access-list outside extended permit ip any host 16.143.99.105

access-list outside extended permit ip any host 16.143.99.106

(This will allow anything outside to reach these two host 105 & 106 on any port)

access-group outbound_access in interface inside

access-list outbound_access extended permit ip 16.143.0.0 255.255.0.0 any

access-list outbound_access extended permit ip any any

(From inside zone whole subnet can go out)

access-group outside_entry in interface dmz

access-list outside_entry extended permit ip any any

(DMZ is allowed to communicate outside without any restriction)

outside-entry ACL is there but not applied to any interface mean no use.

Thanks

Ajay

Hi Ajay,

From security point view is access-list   -----  permit ip any any is not recomded na ?

Yes permit any any should not be there.

Thanks for the reply Ajay.  I figured out that's what those commands did.  I'm just confused as to what the outside-entry access list is actually doing.  It's not assigned to an inteface so I don't believe it's actually doing anything.  Those commands are useless.  Is that correct as far as you know?  Thanks again for the help!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: