Solved: implicit permit in ACL

rsjordan00 · ‎09-14-2012

We manage a lot of ASA firewalls which have fairly similar setups. Most firewalls have at least an inside, dmz and outside interface. For the inside interface ACL, we leave the default ACL in place with the implicit permit to less secure networks and implicit deny. For the dmz and any other internal interfaces, we want to permit access to the outside but not necessarily between the other interfaces. The implicit ACLs would normally work for them but we run into issues when we need to permit traffic between those interfaces. When we add a permit entry we lose the implicit permit to less secure networks and hosts on that interface will lose access to the outside network. As a result, we ended up setting up the ACLs like this:

access-list dmz_access_in extended permit tcp <dmz_host> <inside_host> eq 1433

access-list dmz_access_in extended deny ip <dmz_network> <inside_network>

access-list dmz_access_in extended permit ip <dmz_network> any

But if we have additional interfaces, we also need to explicitly deny traffic to them. So the ACL would look like this:

access-list dmz_access_in extended permit tcp <dmz_host> <inside_host> eq 1433

access-list dmz_access_in extended deny ip <dmz_network> <inside_network>

access-list dmz_access_in extended deny ip <dmz_network> <dmz2_network>

access-list dmz_access_in extended deny ip <dmz_network> <dmz3_network>

....

access-list dmz_access_in extended permit ip <dmz_network> any

I don't like have to explictly add a permit any any in order to grant access to the outside network. Obviously, this would be bad if we forgot to explicitly add a deny entry for another interface. I took a look at the global access list in 8.3+ but it also removed the implicit permit on the interface ACL as soon as I added an entry to the global. Is there anyway to recreate the implicit permit to less secure networks?

Karsten Iwen · ‎09-14-2012

I usually configure that the folloeing way:

I have an object-group for all my metworks. As these are normally in the RFC1918-range, thats my object-group:

object-group network RFC1918

network-object 10.0.0.0 255.0.0.0

network-object 172.16.0.0 255.240.0.0

network-object 192.168.0.0 255.255.0.0

Next on all interfaces I have two logical sections:

access-list DMZ-ACCESS-IN permit tcp object DMZ-HOST object INSIDE-HOST eq 80

access-list DMZ-ACCESS-IN deny ip any object-group RFC1918

access-list DMZ-ACCESS-IN permit tcp object DMZ-HOST any eq 25

Everything above the deny-line is for the communication to my own networks. In the lines below the deny I can now use the keyword "any" which is the internet in this case as all communication to internal networks has been filtered out. If I later add an additional interface with a private network nothing has to change in my existing ACLs to block access to that network.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

Marvin Rhoads · ‎09-14-2012

Good thought but AFAIK the way you're doing it is the right and best way.

Once you start ACLing an interface, the implicit permit from higher to lower security goes out the window, Adding back in an explicit allow is the appropriate response.

Jennifer Halim · ‎09-14-2012

no, unfortunately the function of ACL is to restrict access, hence there is only implicit deny, there is no implicit permit.

I assume that your other dmz or internal networks will be private ip addressing range, right? if so, then you can just block all the private ip addressing range on the ACL, and since traffic going to the internet will be towards public IP range, then you are covered.

Karsten Iwen · ‎09-14-2012