12-27-2012 02:30 PM - edited 03-11-2019 05:41 PM
Hi,
I have question regarding mixing ACL permit and deny statements. I am using network object-groups. I have a specific requirement.
a. I have to permit few port access to servers in object-groups
b I have to deny all other ports to these servers in object-groups
c. I have to permit traffic to all other network.
I am using following ACLs. Is this going to achieve that and I am trying to do by mxing permits and deny statements.
access-list OUTSIDE_IN extended permit tcp any object-group SMTP_SERVERS eq 465
access-list OUTSIDE_IN extended permit tcp any object-group SMTP_SERVERS eq 587
access-list OUTSIDE_IN extended deny ip any object-group SMTP_SERVERS log
access-list OUTSIDE_IN extended permit tcp any object-group WEB_SERVERS-2 object-group http-https
access-list OUTSIDE_IN extended deny ip any object-group WEB_SERVERS-2 log
access-list OUTSIDE_IN permit ip any any
Is this workable on FWSMs? Any drawbacks for this method.
What is best way to implement ACLs so deleting an ACE or adding an ACE is simpler and manageable.
Thanks
12-27-2012 02:52 PM
Hi,
The above configuration does the following
It seems to me that this is an ACL to limit traffic from Internet to your servers. The ACL configured for "outside" interface usually only contains permit statements and all other traffic is denied by default. I wouldnt suggest using an ACE such as "permit ip any any" in an ACL that is controlling traffic that will be entering your LAN network.
I'd say the above configuration you listed is more common for traffic leaving your network/server than traffic entering your network/server. In some DMZs for example you might want to allow the servers to communicate to the LAN only with certain destination ports and block all other traffic to the LAN. And after that you would still want to give the server full access to Internet.
One example of such might be
access-list DMZ-IN remark Allow TCP/80 traffic to LAN
access-list DMZ-IN permit tcp host 10.10.10.10 10.10.20.0 255.255.255.0 eq 80
access-list DMZ-IN remark Deny all other TCP/UDP traffic to LAN
access-list DMZ-IN deny ip host 10.10.10.10 10.10.20.0 255.255.255.0
access-list DMZ-IN remark Allow all TCP/UDP traffic to other networks
access-list DMZ-IN permit ip host 10.10.10.10 any
Object-groups are a good way to keep the running-configuration in clear format when ACL statements need to include many address ranges/IPs/ports/port ranges and you cant handle it with just simply configuring them line by line.
Drawback for using object-groups could be when you have a lot of object-groups containing alot of entries and the same object-groups are used frequently. This will eventually eat up resources from the FWSM though I'd imagine it requires alot of them. I have run into such a problem in a FWSM with multiple contexts where a single context reached it maximum amount of configure ACL rules. (This could have been changed by reallocating resources but instead the other party agreed to "optimize" the ACL )
Please rate if you have found any of the information helpfull
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide