Solved: Re: ASA5525- What is use of outside interface ACL in?

jmaxwellUSAF · ‎08-10-2023

Hello.

I need to stop a public IP address from entering the network. (I dont understand how it has access.)

If I configure an ACL, then it seems if i do not put at end of ACL "permit IP any any", then all traffic will be denied; however, if I do put that commend, then it seems i will be allowing all traffic.

But then again , the ASA is not supposed to be allowing low to high traffic.

QUESTION: What us the usefulness of an access-list on the outside interface going in? Doesn't it need at end "permit ip any any?"

Please clarify?

Thank you.

Rob Ingram · ‎08-10-2023

@jmaxwellUSAF an ACL inbound on the outside interface controls traffic initiated on the outside of the ASA destined to devices behind the ASA. You only need this ACL if you are explictly permitting inbound traffic (hosting a webserver or other services).

You would not "permit ip any any" inbound on the outside interface, you only explictly permit the required inbound traffic and deny the rest (there is an implicit deny at the end of the ACL).

View solution in original post

Rob Ingram · ‎08-10-2023

@jmaxwellUSAF an ACL inbound on the outside interface controls traffic initiated on the outside of the ASA destined to devices behind the ASA. You only need this ACL if you are explictly permitting inbound traffic (hosting a webserver or other services).

You would not "permit ip any any" inbound on the outside interface, you only explictly permit the required inbound traffic and deny the rest (there is an implicit deny at the end of the ACL).

johnlloyd_13 · ‎08-11-2023

hi,

do you have an ACL and access-group applied on the ASA "outside" interface? you can verify using show run access-group command.

as you've mentioned "low" security level interface, i.e. "outside" with security level 0 will NOT flow to "higher" security level interface, i.e. "inside" with security level 100.