Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
382
Views
0
Helpful
6
Replies

Cisco ASA Access lists

Go to solution
James Hoggard
Level 1
Level 1

‎12-03-2013 05:27 AM - edited ‎03-11-2019 08:11 PM

Hi,

I have taken over a firewall that someone else managed.

Everything working well. However on the outside interface coming in i see an access list which says source-any4 destination-any4 permit service ip.

Am i correct in saying that this rule shouldn't be here as the whole point of the firewall is to be statfull and not allow just any traffic in.

The only other access list on this interface are a few static ones going to internal ip's alloing pptp and https for remote access.

Is there any reason there should be an access list like this on your outside interface going to internal?

Thanks

Labels:
0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎12-03-2013 05:35 AM

Hi,

There should not really be an "access-list" on your external interface which permits all traffic with "any" source/destination address. I would understand if all TCP/UDP traffic was permitted between certain hosts which people seem to do when they dont know what ports need to be allowed.

It would be best if we could see the actual ACL configuration (naturally WITHOUT any public IP address references away)

But generally you should only allow the services that are needed and only to the hosts that are hosting them.

Naturally in some services cases like HTTP/HTTPS you probably will allow traffic from "any" source address.

Your Static NATed hosts are under biggest risk at the moment as they can be reached now with any destination port/service. The rule might open up some connectivity towards the users that use the Dynamic PAT as long as there is an existing NAT translation on the firewall for the attempted destination port.

So I would suggest only allowing the needed services to needed hosts and blocking all other traffic from the external network. Naturally if there are services that are just allowed with this "permit ip any4 any4" statement then some services might be blocked in the worst case.

- Jouni

View solution in original post

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to James Hoggard

‎12-03-2013 06:11 AM

Hi,

Seems there are 3 hosts to which traffic is allowed on certain ports and then all other traffic to them is blocked with a separate Deny rule.

Then there seems to be the rule you mentioned which allows ALL other traffic.

The rule permitting ALL traffic doesn't have anything to do with the 3 hosts 10.80.0.41 , 10.80.0.11 and HK-Remote since you have already blocked ALL traffic to them AFTER allowing the needed services. So in that sense it would also seem useless rule.

I wonder if the original firewall admin accidentally inserted a Permit instead of Deny (even though the Deny would have been useless ince there is already a Implicit Deny at the end of each ACL)

But you should remove the rule allowing ALL traffic since its clearly a risk.

- Jouni

View solution in original post

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to James Hoggard

‎12-03-2013 06:24 AM

Also,

If you have some other host than the ones mentioned in the ACL that have Static NAT or Static PAT configured then make sure that traffic to those will not start getting blocked. (As they would match to this Permit rule since they dont have their own rules)

But from what I understood you dont have any other hosts reachable through the external/public network than the ones specifically mentioned.

- Jouni

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎12-03-2013 05:35 AM

Hi,

There should not really be an "access-list" on your external interface which permits all traffic with "any" source/destination address. I would understand if all TCP/UDP traffic was permitted between certain hosts which people seem to do when they dont know what ports need to be allowed.

It would be best if we could see the actual ACL configuration (naturally WITHOUT any public IP address references away)

But generally you should only allow the services that are needed and only to the hosts that are hosting them.

Naturally in some services cases like HTTP/HTTPS you probably will allow traffic from "any" source address.

Your Static NATed hosts are under biggest risk at the moment as they can be reached now with any destination port/service. The rule might open up some connectivity towards the users that use the Dynamic PAT as long as there is an existing NAT translation on the firewall for the attempted destination port.

So I would suggest only allowing the needed services to needed hosts and blocking all other traffic from the external network. Naturally if there are services that are just allowed with this "permit ip any4 any4" statement then some services might be blocked in the worst case.

- Jouni

0 Helpful

Go to solution
James Hoggard
Level 1
Level 1
In response to Jouni Forss

‎12-03-2013 06:04 AM

Thanks for the response. Please see attached incmong ACL list on the outside interface. Not sure if you want command line. I how now disabled that rule everything still seems to be working.

Preview file
48 KB
0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to James Hoggard

‎12-03-2013 06:11 AM

Hi,

Seems there are 3 hosts to which traffic is allowed on certain ports and then all other traffic to them is blocked with a separate Deny rule.

Then there seems to be the rule you mentioned which allows ALL other traffic.

The rule permitting ALL traffic doesn't have anything to do with the 3 hosts 10.80.0.41 , 10.80.0.11 and HK-Remote since you have already blocked ALL traffic to them AFTER allowing the needed services. So in that sense it would also seem useless rule.

I wonder if the original firewall admin accidentally inserted a Permit instead of Deny (even though the Deny would have been useless ince there is already a Implicit Deny at the end of each ACL)

But you should remove the rule allowing ALL traffic since its clearly a risk.

- Jouni

0 Helpful

Go to solution
James Hoggard
Level 1
Level 1
In response to Jouni Forss

‎12-03-2013 06:17 AM

Cheers Jouni.

Thanks for the hep.

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to James Hoggard

‎12-03-2013 06:24 AM

Also,

If you have some other host than the ones mentioned in the ACL that have Static NAT or Static PAT configured then make sure that traffic to those will not start getting blocked. (As they would match to this Permit rule since they dont have their own rules)

But from what I understood you dont have any other hosts reachable through the external/public network than the ones specifically mentioned.

- Jouni

0 Helpful

Go to solution
James Hoggard
Level 1
Level 1
In response to Jouni Forss

‎12-03-2013 07:57 AM

My NAT rules are source - inside network to PAT using IP address of the interface ( outisde )  it has not affected internet connectivity all is working well.

Thanks

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card