Re: asa5505 ACL

niro · ‎09-24-2008

I'm having a small problem with my asa 5505. I have an inbound access list assigned to the inside interface allowing only ports 80, 443 and 53 out. I know in all other devices there's an implicit deny at the end of the access list, however on the 5505 (running version 8.03) it does not block ANYTHING unless I explicitly add a deny ip any any line to the end of the list. Any reason why that would happen??

andrew.prince · ‎09-25-2008

There 2 implicit rules:-

1) Implicit - Permit all traffic to less secure networks

2) Implicit - Deny rule

HTH>

suschoud · ‎09-25-2008

It can't be true.

Do you mean you have something like :

access-l 101 permit tcp any any eq 80

access-l 101 permit tcp any any eq 443

access-l 101 permit tcp any any eq 53

access-g 101 in interface inside

AND inspite of this,the rest of the ports are open.CAN'T BE TRUE.....please verify ...

Regards,

Sushil

niro · ‎09-25-2008

Yes exactly...this is my acl:

access-list in_out extended permit tcp any any eq 80

access-list in_out extended permit tcp any any eq 443

access-list in_out extended permit udp any any eq 53

and still ALL traffic is permitted through. If I add access-list in_out extended ip deny any any at the very end, then all other traffic gets blocked.

andrew.prince · ‎09-25-2008

That should not happen = unless you have a config error somewhere or you should also type at the command line - clear xlate.

ANY established session thru the firewall will still be live until it's taken down and re-initiated.

if you are making the changes with existing sesssions - you will not see any changes.

Also post you acl config for review including the access-group statement.

HTH>

niro · ‎09-25-2008

I even went as far as rebooting the ASA just to make sure, and when it came up still all the traffic was allowed through. This is what the acl config looks like:

access-list in_out extended permit tcp any any eq 80

access-list in_out extended permit tcp any any eq 443

access-list in_out extended permit udp any any eq 53

access-group in_out in interface inside

This config allows all traffic through. I'm able to ping out, and I can do a telnet to random ports and watch the established tcp session syslog messages.

When I add a 4th line:

access-list in_out extended deny ip any any, all other traffic gets blocked. I can no longer ping out and when I do telnet tests I get the blocked by in_out access list syslog messages.

suschoud · ‎09-25-2008

Try this :

no access-group in_out in interface inside

access-list in_out extended permit tcp any any eq 80

access-list in_out extended permit tcp any any eq 443

access-list in_out extended permit udp any any eq 53

access-group in_out in interface inside

Regards,

Sushil

Robert Milanovich · ‎09-24-2009

I get the same behavior on our 5510 running 8.0(4). The inbound ACL on the inside interface allows everything... the implicit deny ACL doesn't seem to work. Have to put in a deny manually at the end of the ACl to get the expected behavior.

Robert Milanovich · ‎09-24-2009

I found the cause of my issue. Workarounds 1 and 2 both work in fixing the issue. It may help you as well...

CSCsq91277

ACL - Implicit deny ip any any ACE may not work as expected

Symptom: Implicit deny any any may not work as expected. Traffic that is not permitted via the acl may be permitted even though the access-list may be applied on the higher security interface.

Conditions: This was first observed in an ASA running 8.0.4(3)

Workaround: 1. Remove the access-group line applied on the interface and re-apply it. example: no access-group acl-inside in interface inside access-group acl-inside in interface inside or 2. add an explicit deny ip any any line in the bottom of the acl applied on that interface Further Problem

Description: The following data collected may be helpful before contacting TAC "sh asp table classify domain permit hits" and "sh asp table classify interface domain permit hits"

suschoud · ‎09-25-2008

PLease provide :

sh run access-g : command output.

Also,

sh version would help too.

Regards,

Sushil