Solved: Re: Enterprise public IP add on outside of ASA has no ACL. Is this nor

jmaxwellUSAF · ‎12-21-2022

Hello.

On an enterprise ASA There exists at least 1 active outside int with a public IP address, that has zero restrictions on its attached ACL. I expect this interface is not advertised at all, but still, is this normal (if not best) security practice??

Thank you.

Rob Ingram · ‎12-21-2022

@jmaxwellUSAF that's not normal and not advised. Do you need to explictly permit inbound traffic from the internet via the outside interface? If you do, create specific rules and deny the rest of the traffic. Or if you have no inbound traffic, you can remove that ACL.

Outbound traffic (inside to outside) should not be affected, as per the security levels permitting traffic from higher security level to lower.

View solution in original post

Rob Ingram · ‎12-21-2022

@jmaxwellUSAF on the ASA the outside interface has a security level of 0 and the inside interface has a security level of 100. Traffic from a lower security level (outside) to a higher level (inside) is by default denied, without an ACL. To explictly permit traffic you need to configure an ACL and attached it to the outside interface. If you have an ACL configured then by default at the end of the ACL there is an implict deny (not visible in the configuration until you explictly configure at the end). You don't need an ACL on the outside interface as long as it's security level is lower than the inside interface.

Traffic initiated from inside to outside will be permitted, including the return traffic.

jmaxwellUSAF · ‎12-21-2022

Thank you, Rob, for your helpful reply.

The ACL attached to the outside, in the "in" direction, only has the ACE-- "permit IP any any". Does that change your assessment?

Rob Ingram · ‎12-21-2022

@jmaxwellUSAF that's not normal and not advised. Do you need to explictly permit inbound traffic from the internet via the outside interface? If you do, create specific rules and deny the rest of the traffic. Or if you have no inbound traffic, you can remove that ACL.

Outbound traffic (inside to outside) should not be affected, as per the security levels permitting traffic from higher security level to lower.

MHM Cisco World · ‎12-21-2022

this must you remember always when you deal with ASA,
the most important think is bypass ACL when there is existing Conn.

so your ACL apply to OUT side not effect any traffic initiate INside
but it effect traffic initiate from OUTside (access to server in DMZ or INside).

MHM Cisco World · ‎12-21-2022

""not advertised at all""

can you more elaborate ?

jmaxwellUSAF · ‎12-21-2022

""not advertised at all"" meaning there are no routing protocols implemented on the connection, and no public DNS entry. The interface is undocumented to the public, but it does have a public IP address and is open to the LAN.

I will now lock down this attached ACL.

Marvin Rhoads · ‎12-21-2022

An ASA's public IP address on the outside interface only accepts incoming connections destined for it if there is a service explicitly configured to allow it. You can check for any listening service with the command "show asp sockets". Common services are remote access VPN on tcp/443. Some people will allow incoming ssh although this is not usually a good idea unless it is tightly restricted.

FYI ACLs on an ASA generally affect traffic though an interface, not traffic to it. Only the special and seldom used control plane ACLs do the latter.

Enterprise public IP add on outside of ASA has no ACL. Is this normal?