Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA "inbound" access-list question, and timed ACLs

I have two Inside interfaces, Inside90 (security=90) and Inside100 (security=100)

Inside100 is used only for VPN tunnels, and occasional patch updates.

Inside90 is open to all internet browsing

I have two Outside interfaces, Outside1 and Outside2  (both have security=0).

  ( I NAT all traffic so as to use the Outside1 or Outside2 interface IP. )

Inside90 can utilized the internet at all times.  

Inside100 can only connect to other tunnels; however, every Sunday at midnight, for one hour, I will open the access-list to all internet access.

This should allow the applications on the Inside100 to retrieve patches and updates.

I use an access-list with a time range on it.

I think I do not need access-lists on the Outside1 and Outside2; let them deny any.

In the lab I place a timed ACL on the Inside100; "permit   Inside100subnet  any   Sunday 00:00 to 01:00"

That seems to work, but it gets placed on Inside100 inbound.   Shouldn't it be placed on Inside100 outbound?

I get confused on the ASDM GUI, where it says "inbound".  

Is my logic correct, or am I opening a giant hole in my ASA?

And why is it "inbound"?

Many thanks.

Everyone's tags (3)
2 ACCEPTED SOLUTIONS

Accepted Solutions
Super Bronze

ASA "inbound" access-list question, and timed ACLs

Hi,

The terms "inbound" and "outbound" when related to the "access-group" command that attaches ACLs to interfaces have to be considered from the perspective of the interface in question.

If you have an "inside" interface with an ACL attached in the direction "in" it will mean that it controls all traffic inbound to that interface. If you have the ACL attached in the direction "out" it will mean that it controls all traffic outbound from that interface towards any network behind that interface.

You might first think that inbound traffic is something coming from an external network and outbound would be something leaving from your network. Well it might be true if it was consired with that logic BUT when we are looking at the interfaces themselves it doesnt work that way, its quite the opposite.

Hopefully that made any sense

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed.

- Jouni

New Member

ASA "inbound" access-list question, and timed ACLs

Hey Jimmyc

Try this

Creat a time range

time-range 10

periodic Sunday 00:00 to 01:00

creat a access list

access list 101 permit ipsec any any

access list 101 permit udp any any iskamp

access list 101 per ip any time-range 10

applly this to inbound to the inside interface

Hope this help you

Thanks

3 REPLIES
Super Bronze

ASA "inbound" access-list question, and timed ACLs

Hi,

The terms "inbound" and "outbound" when related to the "access-group" command that attaches ACLs to interfaces have to be considered from the perspective of the interface in question.

If you have an "inside" interface with an ACL attached in the direction "in" it will mean that it controls all traffic inbound to that interface. If you have the ACL attached in the direction "out" it will mean that it controls all traffic outbound from that interface towards any network behind that interface.

You might first think that inbound traffic is something coming from an external network and outbound would be something leaving from your network. Well it might be true if it was consired with that logic BUT when we are looking at the interfaces themselves it doesnt work that way, its quite the opposite.

Hopefully that made any sense

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed.

- Jouni

New Member

ASA "inbound" access-list question, and timed ACLs

Thanks Jouni, but not quite clear yet.       Please allow me to restate the question.

1.  What would be the correct configuration for Inside100 to block all traffic, inbound and outbound, except for permited L2L VPNs?   (The default would allow websurfing, which I don't want)

2.  What would be the correct ACL to apply so that one hour a week, I do allow websurfing, and where would it be applied?

Thanks.

New Member

ASA "inbound" access-list question, and timed ACLs

Hey Jimmyc

Try this

Creat a time range

time-range 10

periodic Sunday 00:00 to 01:00

creat a access list

access list 101 permit ipsec any any

access list 101 permit udp any any iskamp

access list 101 per ip any time-range 10

applly this to inbound to the inside interface

Hope this help you

Thanks

292
Views
0
Helpful
3
Replies