07-27-2013 12:32 PM - edited 03-11-2019 07:17 PM
I have two Inside interfaces, Inside90 (security=90) and Inside100 (security=100)
Inside100 is used only for VPN tunnels, and occasional patch updates.
Inside90 is open to all internet browsing
I have two Outside interfaces, Outside1 and Outside2 (both have security=0).
( I NAT all traffic so as to use the Outside1 or Outside2 interface IP. )
Inside90 can utilized the internet at all times.
Inside100 can only connect to other tunnels; however, every Sunday at midnight, for one hour, I will open the access-list to all internet access.
This should allow the applications on the Inside100 to retrieve patches and updates.
I use an access-list with a time range on it.
I think I do not need access-lists on the Outside1 and Outside2; let them deny any.
In the lab I place a timed ACL on the Inside100; "permit Inside100subnet any Sunday 00:00 to 01:00"
That seems to work, but it gets placed on Inside100 inbound. Shouldn't it be placed on Inside100 outbound?
I get confused on the ASDM GUI, where it says "inbound".
Is my logic correct, or am I opening a giant hole in my ASA?
And why is it "inbound"?
Many thanks.
Solved! Go to Solution.
07-28-2013 02:04 PM
Hi,
The terms "inbound" and "outbound" when related to the "access-group" command that attaches ACLs to interfaces have to be considered from the perspective of the interface in question.
If you have an "inside" interface with an ACL attached in the direction "in" it will mean that it controls all traffic inbound to that interface. If you have the ACL attached in the direction "out" it will mean that it controls all traffic outbound from that interface towards any network behind that interface.
You might first think that inbound traffic is something coming from an external network and outbound would be something leaving from your network. Well it might be true if it was consired with that logic BUT when we are looking at the interfaces themselves it doesnt work that way, its quite the opposite.
Hopefully that made any sense
Please do remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more if needed.
- Jouni
07-29-2013 01:19 AM
Hey Jimmyc
Try this
Creat a time range
time-range 10
periodic Sunday 00:00 to 01:00
creat a access list
access list 101 permit ipsec any any
access list 101 permit udp any any iskamp
access list 101 per ip
applly this to inbound to the inside interface
Hope this help you
Thanks
07-28-2013 02:04 PM
Hi,
The terms "inbound" and "outbound" when related to the "access-group" command that attaches ACLs to interfaces have to be considered from the perspective of the interface in question.
If you have an "inside" interface with an ACL attached in the direction "in" it will mean that it controls all traffic inbound to that interface. If you have the ACL attached in the direction "out" it will mean that it controls all traffic outbound from that interface towards any network behind that interface.
You might first think that inbound traffic is something coming from an external network and outbound would be something leaving from your network. Well it might be true if it was consired with that logic BUT when we are looking at the interfaces themselves it doesnt work that way, its quite the opposite.
Hopefully that made any sense
Please do remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more if needed.
- Jouni
07-28-2013 07:46 PM
Thanks Jouni, but not quite clear yet. Please allow me to restate the question.
1. What would be the correct configuration for Inside100 to block all traffic, inbound and outbound, except for permited L2L VPNs? (The default would allow websurfing, which I don't want)
2. What would be the correct ACL to apply so that one hour a week, I do allow websurfing, and where would it be applied?
Thanks.
07-29-2013 01:19 AM
Hey Jimmyc
Try this
Creat a time range
time-range 10
periodic Sunday 00:00 to 01:00
creat a access list
access list 101 permit ipsec any any
access list 101 permit udp any any iskamp
access list 101 per ip
applly this to inbound to the inside interface
Hope this help you
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide