Solved: ASA Outside Interface Best Practise

GRANT3779 · ‎11-17-2016

Hi,

For an ASA Outside Interface (which has no inbound services as such) is there a need for an ACL on the Interface?

It provides NAT only and access to the Outside world is locked down Inbound on the Inside Interface. All return traffic would be allowed back due to the stateful nature of the ASA.

What is best practise for the Outside Interface? With it having a lower security level I assume traffic coming into it from the Outside would not be able to pass to the Inside due to the Security Levels alone?

Karsten Iwen · ‎11-17-2016

You are right, with the given security-levels, no traffic that is initiated from outside will get into your network.

Some people still place an ACL with a line "deny ip any any" to the interface to see the hit count. I wouldn't say it's a best practice, but it's one valid way to handle it.

And remember that the ACLs on the ASA by default only filter transit traffic and not traffic that is sent to the ASA itself. You don't need any ACEs for that.

View solution in original post

Karsten Iwen · ‎11-17-2016

You are right, with the given security-levels, no traffic that is initiated from outside will get into your network.

Some people still place an ACL with a line "deny ip any any" to the interface to see the hit count. I wouldn't say it's a best practice, but it's one valid way to handle it.

And remember that the ACLs on the ASA by default only filter transit traffic and not traffic that is sent to the ASA itself. You don't need any ACEs for that.

GRANT3779 · ‎11-17-2016

Thanks Karsten. That confirms my thinking process!