11-18-2008 08:20 AM - edited 03-11-2019 07:14 AM
Looking at a sample configuration, at:
Seems they are updating the outside access-list in order for the inside hosts to telnet, and ssh to outside. I was under impression that this update should be done on the inside interface. Is this new on ASA? because on pix it was done on the inside acl as of 7.0, and before you did not use to need any access update to go from inside to outside.
Solved! Go to Solution.
11-19-2008 08:11 PM
The access-list mentioned in that document is 'optional'. You can very well skip it (depending on your security policy).
By default all higher >> lower communication is allowed. However once you do make an access-list on the higher interface the implicit 'deny ip any any' at the end of the ACL kicks in. You have to design your ACL based on that rule. As you know, the same is true for 'all' interfaces on a router. By default all is allowed, but once you put an ACL.....the deny ip any any at the end comes into effect.
The document is just mentioning that ACL as a security best practice. The ACL for MPF is required tough (outside_mpc).
Please rate if helpful.
Regards
Farrukh
11-19-2008 07:27 PM
I could not access the link posted to see what it's trying to do.
But the ASA follows the same rules. Traffic flowing from a higher level inf to lower inf is permitted by default. "All things being equal"
Update post with working link so everyone can see it.
HTH
Chad
11-19-2008 08:11 PM
The access-list mentioned in that document is 'optional'. You can very well skip it (depending on your security policy).
By default all higher >> lower communication is allowed. However once you do make an access-list on the higher interface the implicit 'deny ip any any' at the end of the ACL kicks in. You have to design your ACL based on that rule. As you know, the same is true for 'all' interfaces on a router. By default all is allowed, but once you put an ACL.....the deny ip any any at the end comes into effect.
The document is just mentioning that ACL as a security best practice. The ACL for MPF is required tough (outside_mpc).
Please rate if helpful.
Regards
Farrukh
11-20-2008 05:34 AM
Hi Chad,
Not sure what is going on with the link. I just clicked on it, and took me to the document, would you try again please? I did have to log into my Cisco accout. The other way to get to it is by searching for the title, which is: "PIX/ASA 7.x and later/FWSM: Set SSH/Telnet/HTTP Connection Timeout using MPF Configuration Example".
Regards-
Sean
11-20-2008 05:42 AM
Just as an aside. The link you posted has /partner/ in the URL. If you just remove that bit it will work for all of us :-)
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080624e19.shtml
Obviously it doesn't work with every URL as partners have access to some information that others don't.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide