ASA 5505 - implicit rule

kooper390 · ‎01-19-2011

Hi all,

what is the purpose of the "Permint all traffic to less secure networks".

Well I know the purpose and the technique to handle some sercurity level is nice. But what kind of help is it, when I cannot add add a rule without deleting this implicit rule?

The technique of security level is then obsolete???

Or is there a way to use the security level further?

Regards

Collin Clark · ‎01-19-2011

The role of the security levels is to determine what networks are trusted and to determine where NAT is needed (ie inside to outside). I agree that the implicit permit is a bit strange. I create an ACL with appropriate permits and denies and apply it inbound to the inside interface.

kooper390 · ‎01-19-2011

Well I think I understand but can I
use the "Permit all traffic to less secure networks" rule with other rules?

Btw where is the difference between the menu "Access Rules" and "ACL Manager"

Collin Clark · ‎01-19-2011

I take it you're working in ASDM? I don't use that so I'll have to explain the concept and hopefully someone else can help with the GUI part of it. The implicit permit is not shown in the (CLI) config. As soon as you create an ACL and apply it to an interface there is now an implicit deny at the end. So to answer your questions, could you use it with other rules? Yes, but it won't work because of the implicit deny and No because when you create a rule set, the implicit permit is no longer used. Best practices is to create an ACL and apply to the interface. You can have a permit any any and you'll see the ACL which is a great reminder there is something there. My base rule set for the inside (to outside) allows DNS, HTTP, HTTPS, ICMP. It then allows SMTP only for the email server and then blocks all other SMTP. IMO that ACL with a permit any any at the end is better than the implicit permit.

kooper390 · ‎01-19-2011

Ok there is no way to use the security level in an ACL!!??

Thank for helping me!

regards

Collin Clark · ‎01-19-2011

Nope. A security level defines an interfaces trustworthiness and an ACL permits and denies traffic on an interface. They go together to control traffic on an interface but are independent of each other.

Kureli Sankar · ‎01-19-2011

Hello,

HIGH to LOW:

Well, it is like letting everyone who lives in your house is allowed to leave the house to go where ever they please.

LOW to HIGH:

But, when people try to come into the house, they will be stopped (unless they are the ones who left the house returning back) at the gate and the guard checks their ID and then lets them in if he has them listed in the allowed list.

So, here you can take the family members inside the house as high security and where ever they would like to go as low security.

You could add a rule even for family members to restrict who can leave the house as they please and who isn't allowed to go outside at all. But, this is optional and by default in the ASA platform anything from high security to low security is automatically allowed.

ACL manager is in ASDM is like a place holder of all the access-lists that you have configured in the box. Some for VPN, some for interface acl, some for MPF, NAT etc. They will all show up here.

-KS

lukeprimm · ‎08-16-2012

If you add a rule in the GUI, which automatically deletes the implicit allow, can you revert back? Meaning can you re-add the "implicit" rule back in? I accidentally made that mistake and fortunately I have not hit "apply" yet so I am kinda waiting in limbo.

Tony Ortiz · ‎08-22-2012

Excellent job Collin. You stating that adding a ACL rule to an interface applies an implicit deny at the end was perfect! Appreciated that...