ACLs on Cisco FWSM

S891 · ‎12-27-2012

Hi,

I have question regarding mixing ACL permit and deny statements. I am using network object-groups. I have a specific requirement.

a. I have to permit few port access to servers in object-groups

b I have to deny all other ports to these servers in object-groups

c. I have to permit traffic to all other network.

I am using following ACLs. Is this going to achieve that and I am trying to do by mxing permits and deny statements.

access-list OUTSIDE_IN extended permit tcp any object-group SMTP_SERVERS eq 465

access-list OUTSIDE_IN extended permit tcp any object-group SMTP_SERVERS eq 587

access-list OUTSIDE_IN extended deny ip any object-group SMTP_SERVERS log

access-list OUTSIDE_IN extended permit tcp any object-group WEB_SERVERS-2 object-group http-https

access-list OUTSIDE_IN extended deny ip any object-group WEB_SERVERS-2 log

access-list OUTSIDE_IN permit ip any any

Is this workable on FWSMs? Any drawbacks for this method.

What is best way to implement ACLs so deleting an ACE or adding an ACE is simpler and manageable.

Thanks

Jouni Forss · ‎12-27-2012

Hi,

The above configuration does the following

Allows connections to IPs/Networks under SMTP_SERVERS from "any" source address while using destination port TCP/465 or TCP/587
Deny all other TCP/UDP connections to the IPs/Networks under SMTP_SERVERS
Allows connections to IPs/Networks under WEB_SERVERS-2 from "any" source address while using destination ports configured under http-https
Deny all other TCP/UDP connections to the IPs/Networks under WEB_SERVERS-2
Permit all the rest of the traffic no matter what the source and destination IP/Port are

It seems to me that this is an ACL to limit traffic from Internet to your servers. The ACL configured for "outside" interface usually only contains permit statements and all other traffic is denied by default. I wouldnt suggest using an ACE such as "permit ip any any" in an ACL that is controlling traffic that will be entering your LAN network.

I'd say the above configuration you listed is more common for traffic leaving your network/server than traffic entering your network/server. In some DMZs for example you might want to allow the servers to communicate to the LAN only with certain destination ports and block all other traffic to the LAN. And after that you would still want to give the server full access to Internet.

One example of such might be

access-list DMZ-IN remark Allow TCP/80 traffic to LAN

access-list DMZ-IN permit tcp host 10.10.10.10 10.10.20.0 255.255.255.0 eq 80

access-list DMZ-IN remark Deny all other TCP/UDP traffic to LAN

access-list DMZ-IN deny ip host 10.10.10.10 10.10.20.0 255.255.255.0

access-list DMZ-IN remark Allow all TCP/UDP traffic to other networks

access-list DMZ-IN permit ip host 10.10.10.10 any

Object-groups are a good way to keep the running-configuration in clear format when ACL statements need to include many address ranges/IPs/ports/port ranges and you cant handle it with just simply configuring them line by line.

Drawback for using object-groups could be when you have a lot of object-groups containing alot of entries and the same object-groups are used frequently. This will eventually eat up resources from the FWSM though I'd imagine it requires alot of them. I have run into such a problem in a FWSM with multiple contexts where a single context reached it maximum amount of configure ACL rules. (This could have been changed by reallocating resources but instead the other party agreed to "optimize" the ACL )

Please rate if you have found any of the information helpfull

- Jouni