02-28-2012 12:36 PM - edited 03-11-2019 03:36 PM
We recently had a new ASA installed and configured by a contractor. I have been looking through the configs and I had a question that may have a simple explanation. Below is a sample of the config.
access-list outside-entry extended permit ip host 16.143.99.105 any
access-list outside-entry extended permit ip host 16.143.99.106 any
access-list outbound_access extended permit ip 16.143.0.0 255.255.0.0 any
access-list outbound_access extended permit ip any any
access-list outside_entry extended permit ip any any
access-list outside extended permit ip any host 16.143.99.105
access-list outside extended permit ip any host 16.143.99.106
access-group outside in interface outside
access-group outbound_access in interface inside
access-group outside_entry in interface dmz
My question relates to the outside-entry access list and the outside_entry access list. The outside-entry access list is not tied to any interface so are any rules associated with it even being adhered to? With every address in the outside-entry access list also in the outside access list, it would seem that any traffic can come straight through without even hitting my DMZ. Should the outside-entry access list actually be called the outside_entry access list? Was a mistake made with the naming? Any clarification on this would be appreciated. Having that outside-entry access list not associated with an interface is confusing me. Thank you in advance for the assistance!
02-29-2012 04:21 AM
access-group outside in interface outside
access-list outside extended permit ip any host 16.143.99.105
access-list outside extended permit ip any host 16.143.99.106
(This will allow anything outside to reach these two host 105 & 106 on any port)
access-group outbound_access in interface inside
access-list outbound_access extended permit ip 16.143.0.0 255.255.0.0 any
access-list outbound_access extended permit ip any any
(From inside zone whole subnet can go out)
access-group outside_entry in interface dmz
access-list outside_entry extended permit ip any any
(DMZ is allowed to communicate outside without any restriction)
outside-entry ACL is there but not applied to any interface mean no use.
Thanks
Ajay
02-29-2012 05:04 AM
Hi Ajay,
From security point view is access-list ----- permit ip any any is not recomded na ?
02-29-2012 05:29 AM
Yes permit any any should not be there.
02-29-2012 11:29 AM
Thanks for the reply Ajay. I figured out that's what those commands did. I'm just confused as to what the outside-entry access list is actually doing. It's not assigned to an inteface so I don't believe it's actually doing anything. Those commands are useless. Is that correct as far as you know? Thanks again for the help!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide