Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3882
Views
0
Helpful
5
Replies

Try understand implicit rules ASA5505

Go to solution
informaticien9
Level 1
Level 1

‎09-09-2014 04:04 AM - edited ‎03-11-2019 09:43 PM

Hi there,

I have two VLANs : VLAN 1= Inside VLAN 2= outside

I need to implemente ACL rules using ASDM 6.5 with this conecpt:

 

1- Deny all the traffic from inside to outside ,execpt for : HTTP,HTTPS ,POP3,SMTP ,IMAP4,FTP,FTP-DATA,DNS  will be autorised to acces internet ,email and external ftp server

2 - Deny all the traffic from outside to inside

 

is it correct please to create two rules for inside interface by ASDM as below and in this order?

 

Inside incoming rules :

a- Source: (any) | Destination: (any) | Service: (http/https/POP3,SMTP,IMAP4,FTP,FTP-DAT,DNS) | Action: Permit

b- Source: (any) | Destination: (any) | Service: (IP) | Action: deny

outside incoming rules :

c- Source: (any) | Destination: (any) | Service: (IP) | Action: deny

 

Thanks in advance

 

 

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Marius Gunnerud
VIP
VIP

‎09-09-2014 04:39 AM

You only need one rule:

a- Source: (any) | Destination: (any) | Service: (http/https/POP3,SMTP,IMAP4,FTP,FTP-DAT,DNS) | Action: Permit

There is an implicit deny at the end of all access-lists, and traffic is by default denied from an interface with a lower security level to a higher security level.

So, assuming that you have configured your outside interface with a security level of 0 (which you should have) and your inside network with a security level of anything higher than 0 (usually inside network has a security level of 100...but this is not always the case) then traffic coming in on the outside interface and going to the inside interface will be dropped.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to informaticien9

‎09-15-2014 04:35 AM

If you ONLY want to allow FTP from inside to the outside you just need to add an ACL permitting that traffic and nothing more.  there is an implicit deny at the end of all ACLs so if traffic doesn't match the IPs and protocol it is dropped.

access-list TEST permit tcp 10.10.10.0 255.255.255.0 any eq ftp

access-group TEST in interface inside

The above will only permit FTP from subnet 10.10.10.0/24, all other traffic will be dropped.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Marius Gunnerud
VIP
VIP

‎09-09-2014 04:39 AM

You only need one rule:

a- Source: (any) | Destination: (any) | Service: (http/https/POP3,SMTP,IMAP4,FTP,FTP-DAT,DNS) | Action: Permit

There is an implicit deny at the end of all access-lists, and traffic is by default denied from an interface with a lower security level to a higher security level.

So, assuming that you have configured your outside interface with a security level of 0 (which you should have) and your inside network with a security level of anything higher than 0 (usually inside network has a security level of 100...but this is not always the case) then traffic coming in on the outside interface and going to the inside interface will be dropped.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
informaticien9
Level 1
Level 1
In response to Marius Gunnerud

‎09-11-2014 05:50 AM

Thanks for your help,

 

question please : can you explain me the goal of inside outgoing rules and outside outgoing rules and how to use them?

 

thanks

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to informaticien9

‎09-11-2014 06:04 AM

I suppose you mean the directions in which the ACLs are applied to the interface?

If so, it has to do with when you want traffic to be matched against the configured rules.  Normally you will only be applying an ACL in the ingress direction (traffic entering the ASA).  However, it is possible that you might be required (for whatever reason) to match traffic against configured rules when it egresses the ASA interface (traffic leaving the ASA).  I personally have never configured an ASA in this manner but have seen it done in some setups. It is usually done to either simplify the administration of the ASA, or due to the engineers lack of knowledge of how the ASA works.

For the administration side of things, lets say you have 3 interfaces on the ASA connecting to 3 different networks.  Each network has several subnets.  2 of the networks should be allowed to communicate freely between eachother while access to the third should be restricted to certain IPs or subnets.  so instead of having to configure permit and deny rules on two interfaces you can configure rules on one interface effectively reducing your work by 50%.

This is not a best practice and I would not recommend it, but from an operations standpoint it is a viable solution.

--

Please remember to select a correct answer and rate helpful posts

 

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
informaticien9
Level 1
Level 1
In response to Marius Gunnerud

‎09-15-2014 04:23 AM

OK thanks alots Marius Gunnerud,

how to deny all traffic from inside to outside for example (allow only access to an external FTP) ?

thanks

 

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to informaticien9

‎09-15-2014 04:35 AM

If you ONLY want to allow FTP from inside to the outside you just need to add an ACL permitting that traffic and nothing more.  there is an implicit deny at the end of all ACLs so if traffic doesn't match the IPs and protocol it is dropped.

access-list TEST permit tcp 10.10.10.0 255.255.255.0 any eq ftp

access-group TEST in interface inside

The above will only permit FTP from subnet 10.10.10.0/24, all other traffic will be dropped.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card