Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
928
Views
0
Helpful
7
Replies

Question re: Outbound ACL

Private Private
Level 1
Level 1

‎05-25-2012 06:29 AM - edited ‎03-11-2019 04:11 PM

     In a scenerio where an ASA has a Guest interface (security level 50) has only a single OUT acl applied (access-list guest.out extended deny ip any any / access-group guest.out OUT interface guest) and an outside interface (security level 0) connected to the Internet with only an IN acl applied to it with no rules in the ACL pertaining to traffic destined to the guest network, will devices on the guest network still be able to initiate connections / access devices on the Internet? Is the answer 'yes' becuase there is no IN ACL applied to the guest interface and SPI will permit the return traffic, or is the answer 'no' because the OUT ACL on the guest interface will prevent the return traffic in spite of the IN ACL?

Thanks.

Labels:
0 Helpful
7 Replies 7

Jennifer Halim
Cisco Employee
Cisco Employee

‎05-25-2012 06:34 AM

The answer is NO because your Guest interface has lower security level than the Internet interface. By default, traffic from low to high security level will require NAT statement as well as access-list to allow traffic to go in that direction.

The OUT (outbound ACL) will be applied to traffic initiated from other interfaces  going towards the Guest interface. Return traffic on ASA firewall will not be checked as ASA maintain a session table hence return traffic will always be allowed.

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to Jennifer Halim

‎05-25-2012 06:37 AM

OK, ignore my previous reply. I thought I saw security level 100 earlier in your post for Internet interface.

Let me try again:

The answer is YES this time as traffic from high to low security level is permitted by default.

Devices on the guest network can initiate traffic towards the Internet.

0 Helpful

Private Private
Level 1
Level 1
In response to Jennifer Halim

‎05-25-2012 06:53 AM

Thanks. I did originally have the incorrect security level in my question. So in that 1st scenerio, the OUT acl on the guest interface will not have an effect on the return traffic initiated by devices on the guest network destined for the internet - the OUT acl only affects (denies) attempts from any device to initiate a connection into the guest network?

One more scenerio, again, same guest network, except in this scenerio, the guest interface (sec level 50) doesnt have an OUT acl applied, but rather an IN acl with 2 rules,

access-list guest.out extended permit ip any any

access-list guest.out extended deny ip any any

access-group guest.out IN interface guest

And the outside interface (sec level 0) has an IN acl with no rules pertaining to traffic destined to the guest network but also an OUT acl:

access-list outside.out extended permit tcp any any eq www

access-list outside.out extended deny ip any any

access-group outside.out OUT interface outside

Will devices on the guest network be able to A) reach any device on the Internet becuase of the IN acl on the guest interface or B) be restricted to only accessing devices on the Internet via www (80/tcp) becuase of the OUT acl on the outside interface?

Thanks.

0 Helpful

jong_r0602
Level 1
Level 1
In response to Private Private

‎05-25-2012 10:29 AM

Hi

From your questions:

Will devices on the guest network be able to A) reach any device on the Internet becuase of the IN acl on the guest interface or B) be restricted to only accessing devices on the Internet via www (80/tcp) becuase of the OUT acl on the outside interface?

access-list guest.out extended permit ip any any

access-list guest.out extended deny ip any any

access-group guest.out IN interface guest

The answer is A -

Explanation: There is an explicit deny ip any any but since ASA behaviour is to allow high security to low (guest to internet), ASA will allow the return traffic with is the adaptive security behavior of ASA.

0 Helpful

Private Private
Level 1
Level 1
In response to jong_r0602

‎05-25-2012 11:23 AM

So in the 2nd scenerio, the OUT acl on the outside interface will have no effect on traffic from the guest network?  Only the IN acl on the guest interface affects guest device traffic?

0 Helpful

jong_r0602
Level 1
Level 1
In response to Private Private

‎05-25-2012 11:48 AM

Hi

Sorry forget about my previous reply. Please see my response below instead.

Your Guest network will only work or can access port 80 to any host in Internet since you have explicitly blocked  the outbound access of from Internet (outside interface) on your extended access-list.

access-list outside.out extended permit tcp any any eq www

access-list outside.out extended deny ip any any

access-group outside.out OUT interface outside

0 Helpful

Private Private
Level 1
Level 1
In response to jong_r0602

‎05-25-2012 12:09 PM

Thanks!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card