Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
652
Views
5
Helpful
2
Replies

Confused with the two ACLs on ASA internet interface, can anyone help me out?

Go to solution
Alex9
Level 1
Level 1

‎11-28-2017 07:23 PM - edited ‎02-21-2020 06:51 AM

Hi, I am working on a ASA5520 (V9.1) and have some trouble in understanding the ACL configured on the internet interface. 

The two ACLs are applied on the out direction of internet interface. 

!
access-group internet_access_out out interface internet
!
access-list internet_access_out extended permit object-group DM_5 object DNS_Cache any
!
object-group service DM_5
service-object tcp destination eq domain
service-object tcp destination eq www
service-object udp destination eq domain
service-object icmp echo
!
object network DNS_Cache
host 10.17.12.2
!

Question 1: What is the function of this ACL? Does it permit the access from internet to DNS server on the TCP/UDP ports listed in object-group service DM_5? 

With my understanding, the "object DNS_Cache" is the source address, "any" is the destination address. But I don't understand the "object-group DM_5" . 


!
access-list internet_access_out extended permit tcp object kwi1csp01 any eq ssh
!
object network kwi1csp01
host 10.17.103.16
!

 Question 2: Does this ACL allow internal host (10.17.103.16) to access any outside terminals with SSH? 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎11-28-2017 11:10 PM

First: It‘s one ACL, but we look here at two ACEs (Access Control Entries).

1) The object-group DM_5 defines a set of services that are allowed for the source/Destination address-pair. Here: The host DNS_Cache is allowed to do Ping, DNS and WWW to any address on the Internet.

2) That’s exactly what it does.

Using outbound ACLs here is possible, but a more uncommon way. Most of the time incoming ACLs are used that are applied on all interfaces and that filter the traffic when a new session enters through one of the interfaces.

View solution in original post

2 Replies 2

Go to solution
Karsten Iwen
VIP
VIP

‎11-28-2017 11:10 PM

First: It‘s one ACL, but we look here at two ACEs (Access Control Entries).

1) The object-group DM_5 defines a set of services that are allowed for the source/Destination address-pair. Here: The host DNS_Cache is allowed to do Ping, DNS and WWW to any address on the Internet.

2) That’s exactly what it does.

Using outbound ACLs here is possible, but a more uncommon way. Most of the time incoming ACLs are used that are applied on all interfaces and that filter the traffic when a new session enters through one of the interfaces.

Go to solution
Alex9
Level 1
Level 1
In response to Karsten Iwen

‎11-29-2017 01:33 AM

Thanks a lot, Karsten.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card