Questions about implementing ACLs on Inbound Ports.

manuel.dennis · ‎10-21-2010

I have a requirement to implement ACLs on Inbound Ports to block and allow specific TCP, UDP, & ICMP services and to block and allow specific IP address ranges and hosts. It appears that the most efficient way to d this without having the ACL become too cumbersome to manage would be to create two or more ACLs.

How many ACLs can be supported for each port?

What is the search order; i.e. by the order listed under the port configuration or by ACL #/name?

How efficient is the implicit “deny all?” I.e. if I just “permit” the services I wish to allow, will all other services/ports be blocked? Has this been tested? Where I can I find test result information?

If two ACLs are used, if a service or IP is blocked, expressly or implicitly; or expressly permitted in the first ACL reviewed, will the next ACL be checked?

Collin Clark · ‎10-21-2010

You can only apply one ACL, per direction, per port. The implicit deny all is very effecient and it works 100% of the time. I don't know of any test results but there are thousands of people who found it works the hard way. Designing your ACLs depends on source, destination, and protocol. If you're restricting protocols between certain subnets, then the ACL can get long and you should map it out before implementing it. If you're just blocking protocols, then put the permits at the top and let the implicit deny do its job or put a deny at the end of the ACL for logging purposes.

Hope it helps.

manuel.dennis · ‎10-21-2010

Thanks

Collen, that does help.

One follow-on, since I can only use one ACL in and one out per port, if I allow either a service or IP address host/range, will checking continue or stop?

I think that any match stops checking, but just want to be 100% accurate.

Collin Clark · ‎10-21-2010

I would like to clarify one thing; you can permit/deny multiple protocols per ACL. For example you can have the following;

access-list 100 permit tcp host 10.10.10.10 any eq 25

access-list 100 deny tcp any any eq 25

access-list 100 deny tcp host 10.10.10.10 any eq 80

access-list 100 permit tcp any any eq 80

What you can not do is apply both ACL 100 & 101 to an interface in the same direction.

access-list 100 permit tcp host 10.10.10.10 any eq 25

access-list 100 deny tcp any any eq 25

access-list 101 deny tcp host 10.10.10.10 any eq 80

access-list 101 permit tcp any any eq 80

To answer your question, once a match is found the ACL processing is stopped for that packet.

connectone · ‎10-21-2010

I typically use ACL on the ingress. It just makes it easy to follow. The nice thing about the ASA is there is always an explicit deny unless you changed the default behaviour and made it a default allow which is available but have not met anyone who used that yet.

one more thing to consider is that the value you place on the interfaces makes a difference as well. If you apply acl's on all interface then no worries but if you only apply an ACL say on the external (outside) interface that gets a security-level 0 and the (inside) interace gets a value of 100. If you do not apply ACL's on the ingress of the inside interface, by default becuase it is more secure then the external, it will allow traffic to flow to the outside interface as long as you have the correct Natting or no natting to allow the traffic to flow properly. so be aware of the security levels if you are using more then one interface I guess is my point.

Frank