topic Re: Access Lists in Network Security

Access Lists

mfruvous — Mon, 11 Mar 2019 16:26:05 GMT

Hello,

I am a Cisco ASA newbie. I am having trouble grasping ACL concepts. We will want all outbound traffic from LAN to WAN blocked; except as we see fit to allow. I understand by default all traffic is allowed to the less secure interface. Do I understand this correctly that as soon as I apply an ACL to internal interface all other traffic will be blocked because of an implied deny statement that will then be in force by default? That the "other" traffic we want to block will never reach the implicit permit rule as long as that rule is not applied first?

Thanks,

Andrea

Re: Access Lists

Jon Marshall — Wed, 14 Oct 2009 19:18:07 GMT

Andrea

Your overall understanding is correct altho i'm not 100% sure what you mean by -

"That the "other" traffic we want to block will never reach the implicit permit rule as long as that rule is not applied first?"

there is no implicit permit rule. What you would do is create an acl that has all the permit statements allowing only the traffic you want.

If you then apply that acl to the inside interface only the traffic you have permitted will be allowed through. Any other traffic you have no written an explicit permit rule for will be dropped by the implicit deny any rule.

Jon

Re: Access Lists

mfruvous — Wed, 14 Oct 2009 20:16:59 GMT

Jon,

I am viewing the rules in ASDM 6.2. I have attached what the default rules look like in ASDM. That's where I got "implicit permit." But, I think I get it... Once I am done creating the ACL I want to allow out, I create the deny rule?

Thank you very much for you help,

Andrea

Re: Access Lists

Jon Marshall — Wed, 14 Oct 2009 20:32:59 GMT

Andrea

"Once I am done creating the ACL I want to allow out, I create the deny rule?"

You can if you want but if you don't there is an implicit deny anyway. I suspect the "implicit permit" you are seeing is because by default all traffic is allowed from a higher to lower security interface. Once you apply an acl to that higher interface then the implicit permit should not be relevant.

As for the acl

access-list inside_out permit tcp any any eq 80

access-list inside_out permit tcp any any eq 443

access-list inside_out_1 permit tcp any any eq 80

access-list inside_out_1 permit tcp any any eq 443

access-list inside_out_1 deny ip any any

both of the above acls do the same thing ie.

they allow http and https traffic from inside to outside and then deny everything else. The only difference is that the first acl "inside_out" relies on an implicit deny at the end of the acl ie. you don't specifically enter it and with the second acl "inside_out_1" you explicitly add the "deny ip any any" line.

When you do a "sh access-list" inside_out_1 will also show you how many hits have been dropped on the "deny ip any any" line whereas you wouldn't see this with the first acl "inside_out".

Jon

Re: Access Lists

mfruvous — Wed, 14 Oct 2009 23:46:56 GMT

Jon,

Thank you so much. You have clarified this for me. I come from a Watchguard background. The learning curve is large.

Thank you again,

Andrea

Re: Access Lists

Jon Marshall — Thu, 15 Oct 2009 01:56:33 GMT

Andrea

No problem, glad to have helped and thank you for the rating.

As for the learning curve, i'm afraid a lot of Cisco products can take a bit of time to get the hang off. But feel free to post in these forums as there are a lot of knowledgeable people who will be only too happy to help.

Jon