08-10-2023 12:33 PM
Hello.
I need to stop a public IP address from entering the network. (I dont understand how it has access.)
If I configure an ACL, then it seems if i do not put at end of ACL "permit IP any any", then all traffic will be denied; however, if I do put that commend, then it seems i will be allowing all traffic.
But then again , the ASA is not supposed to be allowing low to high traffic.
QUESTION: What us the usefulness of an access-list on the outside interface going in? Doesn't it need at end "permit ip any any?"
Please clarify?
Thank you.
Solved! Go to Solution.
08-10-2023 12:52 PM
@jmaxwellUSAF an ACL inbound on the outside interface controls traffic initiated on the outside of the ASA destined to devices behind the ASA. You only need this ACL if you are explictly permitting inbound traffic (hosting a webserver or other services).
You would not "permit ip any any" inbound on the outside interface, you only explictly permit the required inbound traffic and deny the rest (there is an implicit deny at the end of the ACL).
08-10-2023 12:52 PM
@jmaxwellUSAF an ACL inbound on the outside interface controls traffic initiated on the outside of the ASA destined to devices behind the ASA. You only need this ACL if you are explictly permitting inbound traffic (hosting a webserver or other services).
You would not "permit ip any any" inbound on the outside interface, you only explictly permit the required inbound traffic and deny the rest (there is an implicit deny at the end of the ACL).
08-11-2023 03:07 AM
hi,
do you have an ACL and access-group applied on the ASA "outside" interface? you can verify using show run access-group command.
as you've mentioned "low" security level interface, i.e. "outside" with security level 0 will NOT flow to "higher" security level interface, i.e. "inside" with security level 100.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide