Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1738
Views
0
Helpful
2
Replies

ACL deny ip any any on outside interface

Go to solution
mahesh18
Level 6
Level 6

‎06-29-2013 09:07 AM - edited ‎03-11-2019 07:05 PM

Hi Everyone,

For testing purposes i apply ACL on the outside interface of ASA

access-list outside_in extended deny ip any any  ----------------------for testing purpose only 

Below are the ACL on the outside interface of ASA

access-list outside_in remark Allow ping from any device of  outside interface of ASA  to Switch in DMZ Network.     -------works fine

access-list outside_in extended permit icmp any host 192.168.69.1 echo log-----------------------------------------does not work

access-list outside_in remark Allow Telnet from Outside interface to  Switch in DMZ--------------------------does not work

access-list outside_in extended permit tcp any host 192.168.69.1 eq telnet----------------------------------------does not work

access-list outside_in remark Cut Through Proxy

access-list outside_in remark Allow HTTP access To DMZ Switch From Outside

access-list outside_in extended permit tcp any host 192.168.69.1 eq www log-----------------------------works fine

I read that ACL is used to control traffic that passes through the ASA  so in this case it does not allow 3 ACL  rules as traffic is passing through the

ASA  to DMZ right?

Need to confirm the cut through proxy works fine even though we have ACL on outside deny any any because ASA  is responding  on behalf of DMZ switch ?

Also for cut through proxy traffic is coming for the ASA not passing through the ASA  right?

Regards

Mahesh

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎06-30-2013 12:05 AM

Hello,

I read that ACL is used to control traffic that passes through the ASA  so in this case it does not allow 3 ACL  rules as traffic is passing through the

ASA  to DMZ right?

Not sure what you mean, I mean if you set this line on number one

access-list outside_in extended deny ip any any

Of course the other 3 acl lines will not be taken into consideration.

If the access-group goes on the inbound direction it will aply to any traffic that crosses the Outside interface ( to inside, DMZ or whatever)

Need to confirm the cut through proxy works fine even though we have ACL on outside deny any any because ASA  is responding  on behalf of DMZ switch ?

Also for cut through proxy traffic is coming for the ASA not passing through the ASA  right?

Exactly, the cut-through proxy it's an entire different mechanism used to authenticate users while they are trying to acces certain services,

Totally different from regular ACLs

Remember to rate all of the helpful posts.

For this community that's as important as a thanks.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎06-30-2013 12:05 AM

Hello,

I read that ACL is used to control traffic that passes through the ASA  so in this case it does not allow 3 ACL  rules as traffic is passing through the

ASA  to DMZ right?

Not sure what you mean, I mean if you set this line on number one

access-list outside_in extended deny ip any any

Of course the other 3 acl lines will not be taken into consideration.

If the access-group goes on the inbound direction it will aply to any traffic that crosses the Outside interface ( to inside, DMZ or whatever)

Need to confirm the cut through proxy works fine even though we have ACL on outside deny any any because ASA  is responding  on behalf of DMZ switch ?

Also for cut through proxy traffic is coming for the ASA not passing through the ASA  right?

Exactly, the cut-through proxy it's an entire different mechanism used to authenticate users while they are trying to acces certain services,

Totally different from regular ACLs

Remember to rate all of the helpful posts.

For this community that's as important as a thanks.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Julio Carvajal

‎06-30-2013 09:13 AM

Hi Julio,

You confirmed my thoughts.

Regards

MAhesh

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card