topic Hi guys,I had a chance to in Network Security

Purpose of inside_access_in permit ip any any

Dean Romanelli — Tue, 12 Mar 2019 05:18:13 GMT

Hi All,

Reviewing some firewalls from a company acquisition and moving to standardize configs with the existing firewalls. I see they've configured the following, and I fail to see it's purpose and hoping someone can provide some insight.

These are 5505's:

access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit ip any any

access-group inside_access_in in interface inside

Don't understand the purpose of this. The inside interface is security 100, and the outside is security 0. Aren't these flows allowed by default? I get that you can specify inside_access_in when you want to limit what can go outside, but in the can of "any any" above, I don't see the point.

access-list outside_access_in extended permit icmp any any

access-group outside_access_in in interface outside

Same thing here ---> It's my understanding that ICMP, HTTPS & SSH all occur before the firewall function comes into play on a 5505, so isn't this ACL also moot?

I've sometimes seen the

Marvin Rhoads — Tue, 06 Jan 2015 00:03:40 GMT

I've sometimes seen the "inside_access_in" case used to trigger logging or hits against the access-list for a very basic connection accounting function. Beyond that though, it's a pretty superfluous command.

I could speculate that some inexperienced admin put it in just to satisfy any doubt he/she may have had when asked "are you SURE the firewall isn't blocking my traffic?" (although it may still have been if there was an inspection rule being hit 😛 )

The outside one would allow pinging initiated from the outside of internal hosts that are externally addressable. (Although if that's the only entry in the ACL it would prevent all other outside-initiated traffic.)

"access-list outside_access

internodetech — Tue, 06 Jan 2015 19:06:40 GMT

"access-list outside_access_in extended permit icmp any any

access-group outside_access_in in interface outside"

In addition to ping, ICMP is also needed for proper path mtu operation. Although he could've been more specific on which ICMP messages he allowed in that ruke, he may have enabled ICMP to troubleshoot issues related to path MTU. I would keep that in mind when deciding about removing/changing that rule. Also check out how he has ICMP inspection set up too. He may have made changes there as well.

You are correct in that you

Collin Clark — Tue, 06 Jan 2015 19:55:38 GMT

You are correct in that you do not need the ACL. I typically see this when the person setting it up really didn't understand the security-levels or they did it for logging purposes. I don't see the log keyword so I would bet it was 'try something until it works' and this was one of the things.

For the outside ACL, this would allow anyone to ping any server that has a translation. Typically added for troubleshooting, but should be locked down further. You are correct about the firewall functions when it is to the ASA itself, but the ACL there is for NAT's and not just the ASA itself.

Hope it helps.

Good information, as always

Dean Romanelli — Wed, 07 Jan 2015 02:06:17 GMT

Good information, as always guys. Thanks much.

One quick question about the outside_access_in ICMP one: So basically, if the site that has the ASA with this configured rule had any servers on the inside that have outside translations, it would allow anyone to ping the public IP's of said servers successfully from the internet right?

marvin,this is very

johnlloyd_13 — Wed, 07 Jan 2015 03:28:55 GMT

marvin,

this is very informative! +5

will consider this on my new ASA builds.

Correct

Collin Clark — Wed, 07 Jan 2015 16:15:24 GMT

Correct

Hi guys,I had a chance to

Dean Romanelli — Thu, 08 Jan 2015 13:39:11 GMT

Hi guys,

I had a chance to speak to the previous admin on this. The reason he configured inside_access_in permit ip any any was in the event if he needed to block something specific on the inside from getting out, he could add the deny line above the permit ip any any line and it wouldn't interrupt traffic, versus needing to put the deny statement in, killing traffic, then adding the permit line. Of course I would think it would be just as easy to just add the permit statement in first, then put the deny statement, but I guess there could be something said for forgetting to do that and subsequently nuking traffic. Personal preference I guess.