Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
5388
Views
1
Helpful
5
Replies

ASA software 8.3 and 8.4 and implicit deny rule in ACLs

Go to solution
Tomasz Mowinski
Level 1
Level 1

‎08-24-2011 05:21 AM - edited ‎03-11-2019 02:16 PM

Hi

I have found this in documentation (the same statement for version 8.3 and 8.4):

"

Access Control Implicit Deny

All access lists (except Extended access lists) have an implicit deny  statement at the end, so unless you explicitly permit traffic to pass,  it will be denied. For example, if you want to allow all users to access  a network through the ASA except for one or more particular addresses,  then you need to deny those particular addresses and then permit all  others.

"

Does it mean that now all ACLs shoud have created manualy deny ip any any rule at the end ? I have migrated one ASA to version 8.3 (no host connected and I can't test it) but after migration I don't see this rule at the end of all ACLs. Does it mean that all traffic will go throu ACLs on all interfaces ? I didn't find any information about this change in documents describing new software features (

http://www.cisco.com/en/US/customer/docs/security/asa/roadmap/asa_new_features.html#wp42715).

thanks in advance for the explanation

Tomek

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions
5 Replies 5

Go to solution
varrao
Level 10
Level 10

‎08-24-2011 05:33 AM

Hi Tomasz,

What this means is, on the ASA, if you are going from higher interface to lower security interface, the firewall would implicitly allow users to go out of the interface, but if you are going from lower security to higher security, you would need an access-;list to permit traffic.

Wjat implicit deny means, for traffic going from lower to higher security, if the ASA sees an access-list being created to allow the source IP it woudl allow the traffic, but if there is no ACL present, it would drop it, thaat what implicit means.

Now for going from higher security to lower security, if you dont apply the acl on the interface, all traffic would be permitted to go out, but lets say you only want 10 hosts on the internal lan to access internet, then only those ten clients would be able to so and the rest would be disallowed, because of the implicit deny, so thats what it means.

Don't get confused, the catch here is the security level rather than implicit deny rule.

Higher security to Lower security-----------> everything allowed

but if you apply any ACL for even a single host, the rest of the undefined traffic would be dropped.

Lower security to Higher security ---------------> ACL is very much necessary to allow traffic.

Hope this helps.

Thanks,

Varun

Thanks,
Varun Rao
0 Helpful

Go to solution
Tomasz Mowinski
Level 1
Level 1
In response to varrao

‎08-24-2011 05:55 AM

Hi Varum

Thanks for the explanation.

So there should be some mention of the security levels. This can confuse people.

For example: the same ACL used for VPNs will deny all traffic from default - so this statement:

"All access lists (except Extended access lists) have an implicit deny." Is not true because there is no mention about security levels. (this statement is describing extended ACLs in general so it can also concers VPN's ACLs .....)

here you are the link to this document:

http://www.cisco.com/en/US/customer/docs/security/asa/asa84/configuration/guide/acl_overview.html#wp1077565

what do you think ?

best

Tomek

0 Helpful

Go to solution
varrao
Level 10
Level 10
In response to Tomasz Mowinski

‎08-24-2011 06:06 AM

It should be there in some documentation, I;ll search it, but it is there in this doc as well, although not as explanatory but still there:

The ASA does not allow any traffic from a lower  security interface to a higher security interface unless it is  explicitly permitted by an extended access list.

This section is only there do define different types of ACLs, I am sure it shoudl be there in the config guide, let me dig it up.

Thanks,

Varun

Thanks,
Varun Rao
0 Helpful

Go to solution
varrao
Level 10
Level 10
In response to varrao

‎08-24-2011 06:11 AM

Here you go:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807fc191.shtml

Let me know if this resolves your query

Thanks,

Varun

Thanks,
Varun Rao

Go to solution
Tomasz Mowinski
Level 1
Level 1
In response to varrao

‎08-25-2011 01:23 AM

Hi Varun

Thanks for your answer.

I understand how it works but I still think that this sentence is confusing.

best Tomek

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card
Top