1. Ideally you do not allow all inside users to create connections outbound - only allow what they need. The default for a pix is *no* acls enabled, as there is the implicit deny inbound and allow outbound ruleset.
2. This is to log everything, typically.
3. Absolutely. You can write an acl whose first line is permit ip any any, and then selectively block things from there, or you can just start permitting what you allow, and rely upon the default deny rule implicit in the end of an acl to clobber all that you do not want
1) You only need an ACL if you want to change the default behaviour. If, in your case, you only want the default behaviour, there is no need for ACL's at all. You are right, ASA will take care of it.
Minimal requirement is that translation is configured (even if you're not doing any translation, you need at least nat (inside) 0 0 0 in your config.
2)deny ip any any is not needed on ACL's bound to an interface with a low securitylevel. Reason for the recommondation to put it in at all times is that it easier to read, and second thing is that it gives less cpu consumption (if you search for ASA order of oparetion on CCO you will find the document which descibes the ASA operation, and you will see that it takes one less step on processing when the deny ip any any is in place). Last thing to remeber is that if an interface has no deny ip any any statement on it, and the traffic is travelling from high to low level security the implicit rule will be that traffic is allowed, so, it is not true that the deny ip any any is always on the end of the ACL (this is true in ION, but not in PIX-OS)
3) off course this is possible. If, for example you want all inside host to be able to use HTTP to the outside, it would look like this:
access-list inside_in permit tcp any any eq www
access-list inside_in deny ip any any
access-group inside_in in interface inside
*note the deny ip any any on the end, which does prevent ASA from taking the implicit rule which would permit the traffic*
As mentioned, searching CCO for ASA order of operation will direct you to very interesing docs and links, which are worth to read.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...