Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Basic question inbound / outbound and source service (ASA 5505)

Hi there,

I'm new to the ASA 5505 appliance and have a few very basic questions. Hope I get some responses and not flamed for being a total newbie. :-)

  1. Inbound versus outbound: I'm having a difficulty understanding the inbound versus outbound terminology. Can somebody please clarify? For example, if I want to block all http traffic from hosts on the inside to the internet but allow all https connections, intuitively I'd configure a rule to block outbound (= outgoing) traffic for the http protocol for the inside network. However, it seems as if I have to add this rule for inbound connections. Why is a connection from a host on the inside to a web server on the internet considered an inbound connection on the inside interface?
  2. When I add a rule, I've got a "service" field and a "Source Service" field in the "More Options" section. What's the difference? Do I have to set both to the same value?

Your help is greatly appreciated.

3 REPLIES
Red

Basic question inbound / outbound and source service (ASA 5505)

Hi Ralf,

1. You can follow this thread, there is a detailed description in there, but if you still have any questions, then let me know:

https://supportforums.cisco.com/message/3400624#3400624

2. Service means, which ports you want to specify in the ACL, lets say you want to block or allow traffic which is originated from a specific port on that IP address, so that's what the option is for.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks, Varun Rao Security Team, Cisco TAC
New Member

Basic question inbound / outbound and source service (ASA 5505)

Thanks, Varun, that was speedy!

So to clarify: If we DENY all INBOUND traffic on the INSIDE interface for the HTTP service that means that once a host on the inside networks tries to open an http packet it gets dropped when trying to enter the firewall. Is that correct?

As to my second question, I was asking more specifically why there is a Service field and a separate Source Service field.

One last remark, to really understand this in detail. Why, in the above scenario, would a DENY HTTP rule configure on the INSIDE interface but for the OUTGOING direction not block http traffic? I understand that hosts would still get into the inside interface, but shouldn't the rule than block the traffic from going out?

Or would this require the rule on the outside network?

Red

Basic question inbound / outbound and source service (ASA 5505)

Hi Ralf,

Yes, if you put a deny http, it would drop all packets for destination as http port, but be mindful that when you apply an access-list on your inside interface, it automatically activates the deny ip any any right at the bottom, you would be able to see that in the ASDM. So for the users that need be allowed access to the http, needs to be explicitly allowed http access, so your correct configuration would be:

access-list inside_access_in deny tcp host 192.168.1.1 255.255.255.255 any eq http

access-list inside_access_in permit tcp any any

access-group inside_access_in interface inside

This would block 192.168.1.1 to go to internet, but allow all others.

Second question, i haven't chceked the ASDM, but just remember out of memory, that this service option should be the protocol, whether ip,tcp,udp,esp or gre etc.

Moreover always try to block connections as closed to the source as possible, this would mean, if you want to filter traffic going from inside to outside, that should be done on the inside interface not outside.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks, Varun Rao Security Team, Cisco TAC
6661
Views
0
Helpful
3
Replies