I have been trying to understand the login in ACL however it is still unclear to me. My setup is security firewall which does not have internet access, all I need is explicitly allow minimum traffic, only what is needed needed.
A sample of my rules looks like this (ASA code 9.8):
access-list dev_access_in extended permit tcp object sysadmin object dev eq ssh access-list dev_access_in extended deny ip any any access-list dev_access_out extended permit tcp object dev object sysadmin eq 8086 (influxdb port) access-list dev_access_out extended deny ip any any access-list prod_access_in extended permit tcp object sysadmin object dev eq ssh access-list prod_access_in extended deny ip any any access-list prod_access_out extended permit tcp object dev object sysadmin eq 8086 (influxdb port) access-list prod_access_out extended deny ip any any access-list sysadmin_access_in extended permit tcp object dev object sysadmin eq 8086 access-list sysadmin_access_in extended permit tcp object prod object sysadmin eq 8086 access-list sysadmin_access_in extended deny ip any any access-list sysadmin_access_out extended permit tcp object sysadmin object dev eq ssh access-list sysadmin_access_out extended permit tcp object sysadmin object prod eq ssh access-list sysadmin_access_out extended deny ip any any
i will omit all the access-group settings here, will only show one example:
access-group sysadmin_access_out in interface sysadmin access-group sysadmin_access_in out interface sysadmin
My example works perfectly, I can explicitly and clearly allow and disallow traffic, however there is a lot of duplicate rules.
Looking at other examples I found online and in my infrastructure, those rules are different and look simpler. I had an impression that Cisco device would be clever and if you tell it once, it will work out itself how to deliver the allowed traffic. Am I doing something bizarre with these ACL rules?
By applying the ruleset both inbound and outbound to the interface you're essentially doubling it. You more than likely only need one direction. Filtering inbound is usually the easier way to go. Imagine yourself sitting on the firewall and traffic coming from a host into the firewall would be filtered inbound. By doing it this way you are filtering closest to the source (best practice). And yes the firewall is smart enough to build holes for return traffic--it's called Stateful Packet Inspection.
But what if for each zone I want to strictly control what can go in and out? For sensitive zone (100) I would allow only one service in, and one other service out. That would mean for another, less sensitive "sysadmin" zone (50) I allow implicitly any connection to come into, and that would sound not as secure as I would expect things to be at the moment.
I would guess "security-level" would come in play here. With implicit "deny any", it should allow incoming traffic from more secure zones into my "sysadmin less secure zone" without me explicitly specifying twice what can come into ?
Correct. Higher security zones can talk to lower ones (with or without an ACL). From lower security zones to higher ones, some sort of NAT will need to take place along with an ACL permitting traffic.