Access-Lists:Removing the veil of ignorance

Douglas Sensenig · ‎09-07-2011

Good Morning!

I have been tasked with creating an extended named access-list(s) which blocks unecessary/unused/unneeded destination ports of all traffic going to public IP addresses from any inside IP address (any any eq xxx). I believe the access rule is applied to the outside interface but why? And which traffic direction should be used if any and why? I am using a Cisco ASA5505 8.4(2)/6.4(5) (ASA/ASDM). Once these ACL's are created how does one test them?

Any guidance is greatly appreciated. Any examples of ALS being applied to an inside interface is even more greatly appreciated!

All the best,

d

varrao · ‎09-07-2011

Hi Douglas,

Here's what you can do, let suppose for the traffic coming from outside to inside you have the following acl's to allow access to your internal servers:

access-list test permit tcp any host 1.1.1.1 eq 443

access-list test permit tcp any host 1.1.1.1 eq 25

access-list test permit tcp any host 1.1.1.1 eq 21

access-list test permit tcp any host 1.1.1.1 eq 22

Now you can add a deny acl at the last to drop any traffic which is not allowed by:

access-list test deny ip any any

and apply it to the outside interface in the 'in' direction

access-group test in interface outside

the logic is we are applying the test acl to traffic which is coming into the outside interface, hence 'in' keyword.

Similarly for traffic initiated from inside interface to outside, you can apply acl's. Lets assume you just want the hosts in the subnet 10.1.1.0 to access internet and no other host should go to internet, then:

access-list in_to_out permit ip 10.1.1.0 255.255.255.0 any

access-list in_to_out deny ip any any

access-group in_to_out in interface inside

it means acl is applied for traffic coming into the inside interface.

Hope this was helpful.

Thanks,

Varun

Thanks,
Varun Rao

Douglas Sensenig · ‎09-07-2011

Thank you for the quick reply. Would there ever be a situation where you would apply the ACL traffic going "out" the inside or outside interface?

Would it be easier to make a list of all the allowed ports and deny the rest? Considering I am using ASA software 8.4(5) can I or should I make one object-group of all of the ports I want to keep open or block?

d

varrao · ‎09-07-2011

Hi Douglas

Sorry it was dinner time for me

You can use 'out' as well, but I would recommend you to always block traffic closer to the source hence use 'in' acl's.

Yes, in fact you should make an object-group of ports to be allowed and deny the rest, this way you are reducing considerable overhead and make the config look good.

Hope this helps.

Thanks,

Varun

Please do rate helpful posts.

Thanks,
Varun Rao

Douglas Sensenig · ‎09-09-2011

Hi

Thank you for all your help. Regarding your reply above:

<

You can use 'out' as well, but I would recommend you to always block traffic closer to the source hence use 'in' acl's.

>

When I tried applying an ACL (block TCP&UDP port 102) on the inside interface instead of the outside interface, the implicit ALC "Any (inside) to Any less secure networks" changes to "Any to Any with the action Deny". This results in all traffic being blocked. Any suggestions on how to block on the inside interface instead of the outside interface?

d

varrao · ‎09-09-2011

Hi Doug,

On ASA, higher security to lower is implicitly allowed, but if you apply any ACL on inside interafce then ASA automatically adds a deny ACL at the bottom, which means now every host would need to be defined on the acl to allow internet access, so if the entitre internal lan needs to access internet then you shoudl not apply any acl on isnide interface or use the ACL with any any option. For eg you have two subnets 10.1.1.0 and 10.1.2.0 and you apply acl for first subnet, this means now 2nd subnet would now not e able to access internet. So you would need to add acl for 10.1.2.0 subnet as well.

I hope this helps.

Thanks,

Varun

Thanks,
Varun Rao

Douglas Sensenig · ‎09-11-2011

Good Evening Varun,

Quick question regarding block ports on the outside interface. The direction of the traffic flow is from the Inside interface towards the Outside Interface. Which is the correct syntax when applying the access-list to the "outside interface"?

access-group BLOCK-PORTS in interface outside

OR

access-group BLOCK-PORTS out interface outside

Thank you for all your help and guidance.

d

varrao · ‎09-11-2011

Hi Doug,

The question is a bit contradicting, if the direction of traffic is from inside to outside, we would need to apply access-list on inside interface not outside. But what you are trying to say is, if you want to restrict access to intyernal machines for traffic coming from outside internet, then definitely the synatx for access-group would be:

access-group BLOCK-PORTS in interface outside

Let me know if this is what you were looking for.

Thanks,

Varun

Thanks,
Varun Rao

Douglas Sensenig · ‎09-12-2011

Hi Varun,

What "in" and "out" can mean depends on the direction of the traffic flow, does it not. I am trying to picture the Inside and Outside Interfaces as the sides of one or two piece of paper. If if one piece of paper, then in my example of traffic flowing from inside to outside, one side of the paper would be in and the other out. Since per your statement above

<

On ASA, higher security to lower is implicitly allowed, but if you apply any ACL on inside interafce then ASA automatically adds a deny ACL at the bottom, which means now every host would need to be defined on the acl to allow internet access,

>

Then I would use:

access-group BLOCK-PORTS out interface outside

If the I should visualize this as two piece of paper, with each interface as a sheet, one side is "in" and one side as "out", then would the syntax be:

access-group BLOCK-PORTS in interface outside

What am I missing in my logic?

Again, all responses are greatly appreciated.

varrao · ‎09-12-2011

Hi Doug,

Do not get confused in the traffic flow, its like this:

outside (ASA) inside <----------------------------------------- "in"

This is "in", since traffic is coming into the inside interface, so the moment the traffic hits the inside interface , firewall would check the acl.

Second point, by default firewall would not check any acl on inside interface, but lets say out of 10 networks on inside, you just want one network 10.1.1.0 to access internet, and apply the ACL as:

access-group BLOCK-PORTS in interface inside

Now everytime the traffic hits the inside interface it woudl check for an acl, if not found any allow acl, drop the packet. thats what FW would do now.

"out"

outside (ASA) inside

--------------------------------------> "out"

This acl woudl be applied to traffic going out of the inside interface.

Why we prefer in acl is, because it is always advisable to block traffic as close the source as possible, hence your access-group:

access-group BLOCK-PORTS in interface outside

looks good.

The traffic that is :

access-group BLOCK-PORTS in interface inside

would be same as:

access-group BLOCK-PORTS out interface outside

But preferred woudl be in interface inside.

I hope I was able to clear out your confusion, but if you have any questions do let me know.

Thanks,

Varun

Thanks,
Varun Rao