topic Thanks Karsten. That confirms in Network Security

ASA Outside Interface Best Practise

GRANT3779 — Tue, 12 Mar 2019 08:32:57 GMT

Hi,

For an ASA Outside Interface (which has no inbound services as such) is there a need for an ACL on the Interface?

It provides NAT only and access to the Outside world is locked down Inbound on the Inside Interface. All return traffic would be allowed back due to the stateful nature of the ASA.

What is best practise for the Outside Interface? With it having a lower security level I assume traffic coming into it from the Outside would not be able to pass to the Inside due to the Security Levels alone?

You are right, with the given

Karsten Iwen — Thu, 17 Nov 2016 11:07:14 GMT

You are right, with the given security-levels, no traffic that is initiated from outside will get into your network.

Some people still place an ACL with a line "deny ip any any" to the interface to see the hit count. I wouldn't say it's a best practice, but it's one valid way to handle it.

And remember that the ACLs on the ASA by default only filter transit traffic and not traffic that is sent to the ASA itself. You don't need any ACEs for that.

Thanks Karsten. That confirms

GRANT3779 — Thu, 17 Nov 2016 11:19:53 GMT

Thanks Karsten. That confirms my thinking process!