Solved: ASA ACL

Tahir Sultanov · ‎08-12-2016

Hello,

I have one silly quesiton maybe. When we create acl for the inside interface of ASA for example, we define some rules etc., and then it is wanted that inside subnet should access the internet. Then we write the next rule at the end:
access-list inside_in extended permit ip object inside_net any

When this line is written, all the previous lines are non-sense then, because it will allow inside traffic to go everywhere. Is there any suggestion or best practise?

Regards and thanks for the response.

Luke Oxley · ‎08-13-2016

mr_sultanov,

Thanks for your post. This question depends on the type of traffic the firewall gets sent. Remember, the way in which access control lists work is TOP DOWN. So, when the firewall received a packet on that interface it will logically go through the access control list entries or "ACEs" from the top down until it finds a match and will then action what the first matched rule defines whether it be permit or deny. It is not based on the most specific criteria, it is just the first match from the top down.

Here is a simple example:

access-list 100 deny ip 192.168.0.0 255.255.0.0 any
access-list 100 permit ip 192.168.1.50 255.255.255.0 any

In this example, the second line is basically pointless, as the traffic from 192.168.1.50 will match against line 1 first and get DENIED.

The best practice for configuring an access control list is using something called the implicit deny, which is essentially a rule that sits right at the bottom of the list and denies everything. You then add specific permit rules of flows you wish to permit ABOVE the implicit deny.

access-list 100 permit ip 10.10.0.0 255.255.255.0 any
access-list 100 permit ip 192.168.0.0 255.255.0.0 172.16.6.0 255.255.255.0
access-list 100 deny ip any any

In the above example, anything that doesn't match against the first two lines will be DENIED. Note that you do not have to add the implicit deny rule in manually as per the above example. Although it is not shown, once you create an access control list and apply in ingress or egress to an interface it will have an implicit deny and start denying traffic by default.

I hope that makes sense and helps, please let me know if not and I will divulge further.

Kind regards,

Luke Oxley

Please rate helpful posts and mark correct answers.

View solution in original post

Luke Oxley · ‎08-13-2016

mr_sultanov,

Thanks for your post. This question depends on the type of traffic the firewall gets sent. Remember, the way in which access control lists work is TOP DOWN. So, when the firewall received a packet on that interface it will logically go through the access control list entries or "ACEs" from the top down until it finds a match and will then action what the first matched rule defines whether it be permit or deny. It is not based on the most specific criteria, it is just the first match from the top down.

Here is a simple example:

access-list 100 deny ip 192.168.0.0 255.255.0.0 any
access-list 100 permit ip 192.168.1.50 255.255.255.0 any

In this example, the second line is basically pointless, as the traffic from 192.168.1.50 will match against line 1 first and get DENIED.

The best practice for configuring an access control list is using something called the implicit deny, which is essentially a rule that sits right at the bottom of the list and denies everything. You then add specific permit rules of flows you wish to permit ABOVE the implicit deny.

access-list 100 permit ip 10.10.0.0 255.255.255.0 any
access-list 100 permit ip 192.168.0.0 255.255.0.0 172.16.6.0 255.255.255.0
access-list 100 deny ip any any

In the above example, anything that doesn't match against the first two lines will be DENIED. Note that you do not have to add the implicit deny rule in manually as per the above example. Although it is not shown, once you create an access control list and apply in ingress or egress to an interface it will have an implicit deny and start denying traffic by default.