Solved: Cisco ASA - Incoming and Outgoing ACL

XEmmeX · ‎03-22-2018

Hi all,

I'm just trying to cleanup a cisco asa 5516 configuration and I just noticed that some network guy implemented a bunch of outgoing acl on a specific interface.
As far as I know, outgoing are usually not needed except in some cases, so I'd like to remove it and leave only incoming acls on all interfaces.

Should I simply delete all outgoing acls? Is it safe?

Florin Barhala · ‎03-23-2018

If INSIDE OUT and OUTSIDE IN ACLs are identical, which in theory should be you could simply remove the inside out ACL.

Deleting any ACL entries, still leaves you with the defauly DENY entry on the INSIDE OUT ACL, hence the need for "no access-group ....." command.

Now there's a catch: in order to allow traffic from inside to outside, eg. Internet browsing traffic, just apply a permit any any ACL named inside_in. This should be applied on IN direction, on the inside interface.

Then after you ack that production is fine, you can start filtering inside to outside traffic using inside_in traffic.

View solution in original post

Bogdan Nita · ‎03-22-2018

You are right, outgoing acls are rare, but it depends on the config, I would not remove it before understating the purpose of it.

A good point to start is looking at the hitcounts and logs and see what traffic is being dropped/allowed.

XEmmeX · ‎03-22-2018

thank you Bogdan

Do you think they could interfer normal traffic when outgoing acls are applied only on one of all the interfaces? At the moment they are applied only on inside interface, while they are not present on outside or others.

My doubt is that ASA just start to "consider" all outgoing traffic once you create one single outgoing acl, otherwise it should count only incoming rules. Am i right?

Florin Barhala · ‎03-23-2018

I think you need to read a bit more to understand in vs out directions.
Let's see:
1. If you delete the ACL you risk dropping all traffic as long as the config: access-group acl_inside_out_direction OUT is applied.

2. What I would do instead of hurrying to clean anything is take any rule from out_acl_direction that has hits ON and "migrate it" on the IN direction on the same interface.
This way it will make your fully understand the meaning if case you miss something.

Good luck!

XEmmeX · ‎03-23-2018

Hi Florin,

and that's the point. I just tried and it's not worked.

Let me explain.

2 interfaces: INSIDE & OUTSIDE

There's one server (172.16.1.10) coming from OUTSIDE that need to access INSIDE resources (10.0.0.0/24).

I found 2 acl regarding this server, one in the INSIDE OUT and one in the OUTSIDE IN, the acl are identical, for protocols and direction.

Both acl are matched even they are exactly the same! So I tried to remove the INSIDE OUT one and leave the OUTSIDE IN acl, but it didn't work. In logs I see Deny, even the second ACL should allow the traffic.

That's driving me nut :-/

I just only tought that in order to clean all outgoing acls, I should delete them all, because it seems ASA "take in mind" outgoing traffic once you add one single outgoing acl.

Florin Barhala · ‎03-23-2018

If INSIDE OUT and OUTSIDE IN ACLs are identical, which in theory should be you could simply remove the inside out ACL.

Deleting any ACL entries, still leaves you with the defauly DENY entry on the INSIDE OUT ACL, hence the need for "no access-group ....." command.

Now there's a catch: in order to allow traffic from inside to outside, eg. Internet browsing traffic, just apply a permit any any ACL named inside_in. This should be applied on IN direction, on the inside interface.

Then after you ack that production is fine, you can start filtering inside to outside traffic using inside_in traffic.

XEmmeX · ‎03-28-2018

Hi Florin,

I just resolved with your suggestion. I just used the command:

no access-group inside_access_out out interface inside

There are no more outgoing acl and I see no deny. I just clean up configuration and set up incoming acl for all interfaces involved in the traffic.

Tnx a lot for you suggestion!

For all:

the outgoing/ingoing interface directives are in the last part of the asa configuration.