Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

ASA with Implicit Rule

Hello All,

I have a 5510 protecting a single MPLS site. I am trying to configure some new rules to allow traffic to flow into the ASA but looking at the logging everything is being denied by a implicit rule.

How can I get past these implicit rules ?

same-security-traffic permit inter-interface

access-list in-out extended permit ip 10.3.0.0 255.255.0.0 10.0.0.0 255.0.0.0

access-list outside_access_in extended permit ip any any

Thanks

Colin

9 REPLIES

ASA with Implicit Rule

Colin,

Where and in which direction these ACLs are placed ? also need to know what you are seeing in logs.

Thanks

Ajay

Purple

ASA with Implicit Rule

Hi,

the implicit rule is the implicit deny all which is attached by default to traffic flowing from low security level to high security level.To permit some traffic you must create an ACL permitting this traffic like you did( but don't make an explicit permit all at the end otherwise all traffic will be permitted) and apply it to the low level interface inbound with the access-group command.

Regards.

Alain

Don't forget to rate helpful posts.
New Member

ASA with Implicit Rule

Here are my logs 

ASA with Implicit Rule

Can you please also post interface configuration ?

Thanks

Ajay

ASA with Implicit Rule

Just wondering if 10.3.331 is one of the interface IP and by rule you cannot ping any interface on either the Pix or the ASA unless it is the interface that is facing you.

New Member

ASA with Implicit Rule

interface Ethernet 0/1

nameif inside

security-level 100

ip address 10.3.0.2 255.255.255.0

interface ethernet 0/0

speed 100

duplex full

nameif outside

security-level 100

ip address 10.3.1.2 255.255.255.0

Purple

ASA with Implicit Rule

Hi,

Can you post the entire config.

Regards.

Alain

Don't forget to rate helpful posts.
New Member

ASA with Implicit Rule

Sure... here is the full config.... nothing too fancy.

ASA Version 8.2(4)

!

enable password g45TCjltcS2oGK2I encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

description connected to MPLS ROUTER GIGA0/0

speed 100

duplex full

nameif outside

security-level 100

ip address 10.3.1.2 255.255.255.0

!

interface Ethernet0/1

description connected to INTERNAL switch f1/0/48

nameif inside

security-level 100

ip address 10.3.0.2 255.255.255.0

!

interface Ethernet0/2

shutdown    

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

!

ftp mode passive

clock timezone MST -7

clock summer-time MDT recurring

dns server-group DefaultDNS

domain-name**********

same-security-traffic permit inter-interface

access-list in-out extended permit ip 10.3.0.0 255.255.0.0 10.0.0.0 255.0.0.0

access-list outside_access_in extended permit ip any 10.3.0.0 255.255.0.0

access-list inside_access_in extended permit ip any any

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

!

router ospf 1

redistribute static

!

route outside 0.0.0.0 0.0.0.0 10.3.1.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server ACS protocol tacacs+

aaa-server ACS (outside) host 10.0.0.29

key *****

aaa authentication ssh console ACS LOCAL

aaa authentication telnet console ACS LOCAL

aaa accounting ssh console ACS

aaa accounting command privilege 15 ACS

aaa accounting telnet console ACS

http server enable

http 10.3.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet 10.0.57.0 255.255.255.0 outside

telnet timeout 5

ssh 10.0.57.0 255.255.255.0 outside

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ntp server 10.0.5.17 source outside prefer

webvpn

username 911ab password bRI8ulPB836Ut5JJ encrypted privilege 15

username itmiss password bImuwBDu9t8S0Nje encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

!

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:9fbd6638bd309179a31fe938446d30c5

ASA with Implicit Rule

can you change security-level 100 to 0 for outside interface ?

3947
Views
0
Helpful
9
Replies
CreatePlease to create content