topic Re: Enterprise public IP add on outside of ASA has no ACL. Is this nor in Network Security

Enterprise public IP add on outside of ASA has no ACL. Is this normal?

MicJameson1 — Wed, 21 Dec 2022 17:51:53 GMT

Hello.

On an enterprise ASA There exists at least 1 active outside int with a public IP address, that has zero restrictions on its attached ACL. I expect this interface is not advertised at all, but still, is this normal (if not best) security practice??

Thank you.

Re: Enterprise public IP add on outside of ASA has no ACL. Is this nor

Rob Ingram — Wed, 21 Dec 2022 18:01:20 GMT

@MicJameson1 on the ASA the outside interface has a security level of 0 and the inside interface has a security level of 100. Traffic from a lower security level (outside) to a higher level (inside) is by default denied, without an ACL. To explictly permit traffic you need to configure an ACL and attached it to the outside interface. If you have an ACL configured then by default at the end of the ACL there is an implict deny (not visible in the configuration until you explictly configure at the end). You don't need an ACL on the outside interface as long as it's security level is lower than the inside interface.

Traffic initiated from inside to outside will be permitted, including the return traffic.

Re: Enterprise public IP add on outside of ASA has no ACL. Is this nor

MHM Cisco World — Wed, 21 Dec 2022 18:06:16 GMT

""not advertised at all""

can you more elaborate ?

Re: Enterprise public IP add on outside of ASA has no ACL. Is this nor

MicJameson1 — Wed, 21 Dec 2022 18:08:55 GMT

Thank you, Rob, for your helpful reply.

The ACL attached to the outside, in the "in" direction, only has the ACE-- "permit IP any any". Does that change your assessment?

Re: Enterprise public IP add on outside of ASA has no ACL. Is this nor

Rob Ingram — Wed, 21 Dec 2022 18:12:29 GMT

@MicJameson1 that's not normal and not advised. Do you need to explictly permit inbound traffic from the internet via the outside interface? If you do, create specific rules and deny the rest of the traffic. Or if you have no inbound traffic, you can remove that ACL.

Outbound traffic (inside to outside) should not be affected, as per the security levels permitting traffic from higher security level to lower.

Re: Enterprise public IP add on outside of ASA has no ACL. Is this nor

MHM Cisco World — Wed, 21 Dec 2022 18:15:49 GMT

this must you remember always when you deal with ASA,
the most important think is bypass ACL when there is existing Conn.

so your ACL apply to OUT side not effect any traffic initiate INside
but it effect traffic initiate from OUTside (access to server in DMZ or INside).

Re: Enterprise public IP add on outside of ASA has no ACL. Is this nor

MicJameson1 — Wed, 21 Dec 2022 18:37:22 GMT

""not advertised at all"" meaning there are no routing protocols implemented on the connection, and no public DNS entry. The interface is undocumented to the public, but it does have a public IP address and is open to the LAN.

I will now lock down this attached ACL.

Re: Enterprise public IP add on outside of ASA has no ACL. Is this nor

Marvin Rhoads — Wed, 21 Dec 2022 18:51:49 GMT

An ASA's public IP address on the outside interface only accepts incoming connections destined for it if there is a service explicitly configured to allow it. You can check for any listening service with the command "show asp sockets". Common services are remote access VPN on tcp/443. Some people will allow incoming ssh although this is not usually a good idea unless it is tightly restricted.

FYI ACLs on an ASA generally affect traffic though an interface, not traffic to it. Only the special and seldom used control plane ACLs do the latter.