Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
635
Views
0
Helpful
3
Replies

ASA "inbound" access-list question, and timed ACLs

Go to solution
jimmyc_2
Level 1
Level 1

‎07-27-2013 12:32 PM - edited ‎03-11-2019 07:17 PM

I have two Inside interfaces, Inside90 (security=90) and Inside100 (security=100)

Inside100 is used only for VPN tunnels, and occasional patch updates.

Inside90 is open to all internet browsing

I have two Outside interfaces, Outside1 and Outside2  (both have security=0).

  ( I NAT all traffic so as to use the Outside1 or Outside2 interface IP. )

Inside90 can utilized the internet at all times.  

Inside100 can only connect to other tunnels; however, every Sunday at midnight, for one hour, I will open the access-list to all internet access.

This should allow the applications on the Inside100 to retrieve patches and updates.

I use an access-list with a time range on it.

I think I do not need access-lists on the Outside1 and Outside2; let them deny any.

In the lab I place a timed ACL on the Inside100; "permit   Inside100subnet  any   Sunday 00:00 to 01:00"

That seems to work, but it gets placed on Inside100 inbound.   Shouldn't it be placed on Inside100 outbound?

I get confused on the ASDM GUI, where it says "inbound".  

Is my logic correct, or am I opening a giant hole in my ASA?

And why is it "inbound"?

Many thanks.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎07-28-2013 02:04 PM

Hi,

The terms "inbound" and "outbound" when related to the "access-group" command that attaches ACLs to interfaces have to be considered from the perspective of the interface in question.

If you have an "inside" interface with an ACL attached in the direction "in" it will mean that it controls all traffic inbound to that interface. If you have the ACL attached in the direction "out" it will mean that it controls all traffic outbound from that interface towards any network behind that interface.

You might first think that inbound traffic is something coming from an external network and outbound would be something leaving from your network. Well it might be true if it was consired with that logic BUT when we are looking at the interfaces themselves it doesnt work that way, its quite the opposite.

Hopefully that made any sense

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed.

- Jouni

View solution in original post

0 Helpful

Go to solution
vishaw jasrotia
Level 1
Level 1
In response to jimmyc_2

‎07-29-2013 01:19 AM

Hey Jimmyc

Try this

Creat a time range

time-range 10

periodic Sunday 00:00 to 01:00

creat a access list

access list 101 permit ipsec any any

access list 101 permit udp any any iskamp

access list 101 per ip any time-range 10

applly this to inbound to the inside interface

Hope this help you

Thanks

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎07-28-2013 02:04 PM

Hi,

The terms "inbound" and "outbound" when related to the "access-group" command that attaches ACLs to interfaces have to be considered from the perspective of the interface in question.

If you have an "inside" interface with an ACL attached in the direction "in" it will mean that it controls all traffic inbound to that interface. If you have the ACL attached in the direction "out" it will mean that it controls all traffic outbound from that interface towards any network behind that interface.

You might first think that inbound traffic is something coming from an external network and outbound would be something leaving from your network. Well it might be true if it was consired with that logic BUT when we are looking at the interfaces themselves it doesnt work that way, its quite the opposite.

Hopefully that made any sense

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed.

- Jouni

0 Helpful

Go to solution
jimmyc_2
Level 1
Level 1
In response to Jouni Forss

‎07-28-2013 07:46 PM

Thanks Jouni, but not quite clear yet.       Please allow me to restate the question.

1.  What would be the correct configuration for Inside100 to block all traffic, inbound and outbound, except for permited L2L VPNs?   (The default would allow websurfing, which I don't want)

2.  What would be the correct ACL to apply so that one hour a week, I do allow websurfing, and where would it be applied?

Thanks.

0 Helpful

Go to solution
vishaw jasrotia
Level 1
Level 1
In response to jimmyc_2

‎07-29-2013 01:19 AM

Hey Jimmyc

Try this

Creat a time range

time-range 10

periodic Sunday 00:00 to 01:00

creat a access list

access list 101 permit ipsec any any

access list 101 permit udp any any iskamp

access list 101 per ip any time-range 10

applly this to inbound to the inside interface

Hope this help you

Thanks

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card