11-28-2017 07:23 PM - edited 02-21-2020 06:51 AM
Hi, I am working on a ASA5520 (V9.1) and have some trouble in understanding the ACL configured on the internet interface.
The two ACLs are applied on the out direction of internet interface.
!
access-group internet_access_out out interface internet
!
access-list internet_access_out extended permit object-group DM_5 object DNS_Cache any
!
object-group service DM_5
service-object tcp destination eq domain
service-object tcp destination eq www
service-object udp destination eq domain
service-object icmp echo
!
object network DNS_Cache
host 10.17.12.2
!
Question 1: What is the function of this ACL? Does it permit the access from internet to DNS server on the TCP/UDP ports listed in object-group service DM_5?
With my understanding, the "object DNS_Cache" is the source address, "any" is the destination address. But I don't understand the "object-group DM_5" .
!
access-list internet_access_out extended permit tcp object kwi1csp01 any eq ssh
!
object network kwi1csp01
host 10.17.103.16
!
Question 2: Does this ACL allow internal host (10.17.103.16) to access any outside terminals with SSH?
Solved! Go to Solution.
11-28-2017 11:10 PM
First: It‘s one ACL, but we look here at two ACEs (Access Control Entries).
1) The object-group DM_5 defines a set of services that are allowed for the source/Destination address-pair. Here: The host DNS_Cache is allowed to do Ping, DNS and WWW to any address on the Internet.
2) That’s exactly what it does.
Using outbound ACLs here is possible, but a more uncommon way. Most of the time incoming ACLs are used that are applied on all interfaces and that filter the traffic when a new session enters through one of the interfaces.
11-28-2017 11:10 PM
First: It‘s one ACL, but we look here at two ACEs (Access Control Entries).
1) The object-group DM_5 defines a set of services that are allowed for the source/Destination address-pair. Here: The host DNS_Cache is allowed to do Ping, DNS and WWW to any address on the Internet.
2) That’s exactly what it does.
Using outbound ACLs here is possible, but a more uncommon way. Most of the time incoming ACLs are used that are applied on all interfaces and that filter the traffic when a new session enters through one of the interfaces.
11-29-2017 01:33 AM
Thanks a lot, Karsten.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: