Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
You may experience some slow load times, errors, and slight inconsistencies. We ask for your patience as we finalize the launch. Thank you.

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Question re: Outbound ACL

     In a scenerio where an ASA has a Guest interface (security level 50) has only a single OUT acl applied (access-list guest.out extended deny ip any any / access-group guest.out OUT interface guest) and an outside interface (security level 0) connected to the Internet with only an IN acl applied to it with no rules in the ACL pertaining to traffic destined to the guest network, will devices on the guest network still be able to initiate connections / access devices on the Internet? Is the answer 'yes' becuase there is no IN ACL applied to the guest interface and SPI will permit the return traffic, or is the answer 'no' because the OUT ACL on the guest interface will prevent the return traffic in spite of the IN ACL?

Thanks.

  • Firewalling
Everyone's tags (3)
7 REPLIES
Cisco Employee

Question re: Outbound ACL

The answer is NO because your Guest interface has lower security level than the Internet interface. By default, traffic from low to high security level will require NAT statement as well as access-list to allow traffic to go in that direction.

The OUT (outbound ACL) will be applied to traffic initiated from other interfaces  going towards the Guest interface. Return traffic on ASA firewall will not be checked as ASA maintain a session table hence return traffic will always be allowed.

Cisco Employee

Question re: Outbound ACL

OK, ignore my previous reply. I thought I saw security level 100 earlier in your post for Internet interface.

Let me try again:

The answer is YES this time as traffic from high to low security level is permitted by default.

Devices on the guest network can initiate traffic towards the Internet.

New Member

Re: Question re: Outbound ACL

Thanks. I did originally have the incorrect security level in my question. So in that 1st scenerio, the OUT acl on the guest interface will not have an effect on the return traffic initiated by devices on the guest network destined for the internet - the OUT acl only affects (denies) attempts from any device to initiate a connection into the guest network?

One more scenerio, again, same guest network, except in this scenerio, the guest interface (sec level 50) doesnt have an OUT acl applied, but rather an IN acl with 2 rules,

access-list guest.out extended permit ip any any

access-list guest.out extended deny ip any any

access-group guest.out IN interface guest

And the outside interface (sec level 0) has an IN acl with no rules pertaining to traffic destined to the guest network but also an OUT acl:

access-list outside.out extended permit tcp any any eq www

access-list outside.out extended deny ip any any

access-group outside.out OUT interface outside

Will devices on the guest network be able to A) reach any device on the Internet becuase of the IN acl on the guest interface or B) be restricted to only accessing devices on the Internet via www (80/tcp) becuase of the OUT acl on the outside interface?

Thanks.

New Member

Re: Question re: Outbound ACL

Hi

From your questions:

Will devices on the guest network be able to A) reach any device on the Internet becuase of the IN acl on the guest interface or B) be restricted to only accessing devices on the Internet via www (80/tcp) becuase of the OUT acl on the outside interface?

access-list guest.out extended permit ip any any

access-list guest.out extended deny ip any any

access-group guest.out IN interface guest

The answer is A -

Explanation: There is an explicit deny ip any any but since ASA behaviour is to allow high security to low (guest to internet), ASA will allow the return traffic with is the adaptive security behavior of ASA.

New Member

Re: Question re: Outbound ACL

So in the 2nd scenerio, the OUT acl on the outside interface will have no effect on traffic from the guest network?  Only the IN acl on the guest interface affects guest device traffic?

New Member

Re: Question re: Outbound ACL

Hi

Sorry forget about my previous reply. Please see my response below instead.

Your Guest network will only work or can access port 80 to any host in Internet since you have explicitly blocked  the outbound access of from Internet (outside interface) on your extended access-list.

access-list outside.out extended permit tcp any any eq www

access-list outside.out extended deny ip any any

access-group outside.out OUT interface outside

New Member

Question re: Outbound ACL

Thanks!

531
Views
0
Helpful
7
Replies