10-03-2022 08:05 AM
We have a 4110 managed by an FMC that we need to configure to block IKE traffic from. That's easy enough to do with a control-plane ACL, but I was looking at this:
https://integratingit.wordpress.com/2021/06/26/ftd-control-plane-acl/
It shows a deny statement followed by as explicit "permit ip any any". Is the permit statement needed? I've always understood the control-planes to having an implicit "permit ip any any". If there is an implicit, I realize the explicit statement won't matter, so it's a matter of satisfying my curiosity. Thanks
Solved! Go to Solution.
10-03-2022 12:03 PM
There is no implicit deny at the end of control plane ACL.
10-03-2022 08:17 AM - edited 10-03-2022 12:05 PM
Adding the control-plane keyword to the ACL entry, the traffic inspection applies to traffic destined to the ASA. Without the control-plane keyword, the ACL entries will apply to traffic traversing through the ASA.
The control-plane keyword specifies if the ACL is used to control to-the-box traffic. Access control rules for to-the-box management traffic (defined by such commands as http, ssh, or telnet) have higher precedence than a management access rule applied with the control-plane option. Therefore, such permitted management traffic will be allowed to come in even if explicitly denied by the to-the-box ACL.
Unlike regular access rules, there is no implicit deny at the end of a set of management rules for an interface. Instead, any connection that does not match a management access rule is then evaluated by regular access control rules. Alternatively, you can use ICMP rules to control ICMP traffic to the device.
ASA Access Control List Configuration Examples for Various Scenarios - Cisco
10-03-2022 08:20 AM
""For management (control plane) ACLs, which control to-the-box traffic, there is no implicit deny at the end of a set of management rules for an interface. Instead, any connection that does not match a management access rule is then evaluated by regular access control rules.""
from cisco ASA ACL
https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/firewall/asa-96-firewall-config/access-acls.html
10-03-2022 10:39 AM
Thank you both for the replies, and I read both links prior to posting. I realize there is normally a default "deny ip any any" at the end of a normal access list, but if I leave the "permit ip any any" off the control-plane ACL, it shouldn't matter, correct, given there is no implicit deny?
10-03-2022 12:03 PM
There is no implicit deny at the end of control plane ACL.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide