Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1228
Views
5
Helpful
6
Replies

ASA Access Groups/Lists Permit & Deny

WildMan365
Level 1
Level 1

‎09-02-2017 11:20 PM - last edited on ‎02-21-2020 11:34 PM by Community Manager

I just sat through a teaching where the instructor gave an example of a security issue & how to resolve it. A server on a LAN behind an ASA had 350 IP Addresses attempting to SSH into it over night (brute force attack). The instructer then checked the Ingress ACL on the WAN interface & he found an Permit Any eq SSH rule in the ACL (which was the problem). His solution was to create a Network Object & he put the 350 addresses into it. He told us it was too cumbersome to add 350 Deny rules for each address in the ACL which I agreed. He proceeded to add a Permit rule for one address (3.3.3.3) which is the remote management IP (wouldnt want to block support) & a Deny rule for the Network Object containing the 350 addresses. Here is my issue...

 

1) Doesnt an ACL have an Implicit Deny at the bottom? If so wouldnt it be sufficient enough to just have your allow rule for the remote support IP (3.3.3.3) & nothing else? The Implicit Deny would take care of denying the 350 addresses or any other address not specified with a permit rule correct? 

 

I included a snapshot of the putty session which shows everything I mentioned in this post. I sure could use some help because I am pretty confused about Deny rules in an ACL being that there is already an Implicit Deny.

Preview file
157 KB
0 Helpful
6 Replies 6

Marvin Rhoads
Hall of Fame
Hall of Fame

‎09-03-2017 04:09 AM

You are correct - the implicit deny will block any traffic not explicitly allowed.

 

One reason why we sometime use explicit deny statements is to get log entries for the traffic blocked by the ACL. That's because, while both methods will block the traffic, the implicit deny does so "silently".

WildMan365
Level 1
Level 1
In response to Marvin Rhoads

‎09-03-2017 07:43 AM

That makes sense. By log entries I assume you mean hit counts on the Show Access-Lists output?

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to WildMan365

‎09-03-2017 08:03 AM - edited ‎09-03-2017 08:04 AM

Hit counts are one part of it. More informative are the actual syslog entries. Those tell you the 5-tuple (protocol, source and destination address and port) for connections denied by the ACL.

 

0 Helpful

WildMan365
Level 1
Level 1
In response to Marvin Rhoads

‎09-03-2017 08:53 AM

Ok I see. Does every version of ASA have 5 tuple entries available or is there a special feature pack that needs to be activated in the ASA? Is it just as simple as doing a Show Log?

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to WildMan365

‎09-03-2017 09:03 AM

Logging is available on all platforms and versions of the ASA. No special license is needed. You can log to console, log buffer, ASDM or remote syslog servers. 

0 Helpful

WildMan365
Level 1
Level 1
In response to Marvin Rhoads

‎09-03-2017 09:58 AM

Thanks

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card