cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1153
Views
10
Helpful
2
Replies

ASA ACL with permit "any"

Dear Board,

 

we're using multiple subinterfaces on ASA for multiple VLANs.

When configuring on one interface a "permit any any http" this means traffic can not only go to the public internet but also to other VLAN subinterfaces on http when there is no explicit deny any 10.0.0.0/8 http before it and given the fact, the interfaces do not use the same security level.

But that makes it pretty confusing and not "pretty" when having a deny rule before a permit any.

 

I was thinking about a group-object excluding RFC1918 (0.0.0.0-9.255.255.255, 11.0.0.0-172.15.255.255, 172.32.0.0-192.167.255.255, 192.169.0.0-223.255.255.255) and use it instead of "any".

 

Other idea was to use the same security level for all interfaces on ASA as traffic between same-security is not allowed.

 

Any other ideas or suggestions to avoid having "any" or using "any" but without enabling access to other networks.

 

Thanks!

 

 

1 Accepted Solution

Accepted Solutions

There is no exclusion in an object-group. And with having "any" as all IPs and not "the internet" it is common to have many rules that first deny access to internal networks and then allow access to the rest.

 

If you really don't like that, you could think about migrating to Firepower Thread Defense. There you have security-zones where an ACE like "permit tcp any any eq 443" could be restricted to the interface pairs (inside -> outside).

View solution in original post

2 Replies 2

Florin Barhala
Level 6
Level 6
From what I saw so far, people use the first scenario with deny private ip range and then permit ip any.
You can do it the 2nd way also, up to you. From auditing perspective, deny rule is also wanted as you could LOG and track later who's attempting local connections.

There is no exclusion in an object-group. And with having "any" as all IPs and not "the internet" it is common to have many rules that first deny access to internal networks and then allow access to the rest.

 

If you really don't like that, you could think about migrating to Firepower Thread Defense. There you have security-zones where an ACE like "permit tcp any any eq 443" could be restricted to the interface pairs (inside -> outside).

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: