Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2884
Views
10
Helpful
7
Replies

Purpose of inside_access_in permit ip any any

Go to solution
Dean Romanelli
Level 4
Level 4

‎01-05-2015 03:19 PM - edited ‎03-11-2019 10:18 PM

Hi All,

Reviewing some firewalls from a company acquisition and moving to standardize configs with the existing firewalls.  I see they've configured the following, and I fail to see it's purpose and hoping someone can provide some insight.

These are 5505's:


access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit ip any any

access-group inside_access_in in interface inside
 

Don't understand the purpose of this. The inside interface is security 100, and the outside is security 0.  Aren't these flows allowed by default?  I get that you can specify inside_access_in when you want to limit what can go outside, but in the can of "any any" above, I don't see the point.

access-list outside_access_in extended permit icmp any any

access-group outside_access_in in interface outside

Same thing here ---> It's my understanding that ICMP, HTTPS & SSH all occur before the firewall function comes into play on a 5505, so isn't this ACL also moot?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Collin Clark
VIP Alumni
VIP Alumni

‎01-06-2015 11:55 AM

You are correct in that you do not need the ACL. I typically see this when the person setting it up really didn't understand the security-levels or they did it for logging purposes. I don't see the log keyword so I would bet it was 'try something until it works' and this was one of the things.

For the outside ACL, this would allow anyone to ping any server that has a translation. Typically added for troubleshooting, but should be locked down further. You are correct about the firewall functions when it is to the ASA itself, but the ACL there is for NAT's and not just the ASA itself.

 

Hope it helps.

View solution in original post

7 Replies 7

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎01-05-2015 04:03 PM

I've sometimes seen the "inside_access_in" case used to trigger logging or hits against the access-list for a very basic connection accounting function. Beyond that though, it's a pretty superfluous command.

I could speculate that some inexperienced admin put it in just to satisfy any doubt he/she may have had when asked "are you SURE the firewall isn't blocking my traffic?" (although it may still have been if there was an inspection rule being hit :-p )

The outside one would allow pinging initiated from the outside of internal hosts that are externally addressable. (Although if that's the only entry in the ACL it would prevent all other outside-initiated traffic.) 

Go to solution
Dean Romanelli
Level 4
Level 4
In response to Marvin Rhoads

‎01-06-2015 06:06 PM

Good information, as always guys.  Thanks much.

 

One quick question about the outside_access_in ICMP one:  So basically, if the site that has the ASA with this configured rule had any servers on the inside that have outside translations, it would allow anyone to ping the public IP's of said servers successfully from the internet right?

0 Helpful

Go to solution
Collin Clark
VIP Alumni
VIP Alumni
In response to Dean Romanelli

‎01-07-2015 08:15 AM

Correct

0 Helpful

Go to solution
Dean Romanelli
Level 4
Level 4
In response to Collin Clark

‎01-08-2015 05:39 AM

Hi guys,

I had a chance to speak to the previous admin on this.  The reason he configured inside_access_in permit ip any any was in the event if he needed to block something specific on the inside from getting out, he could add the deny line above the permit ip any any line and it wouldn't interrupt traffic, versus needing to put the deny statement in, killing traffic, then adding the permit line.  Of course I would think it would be just as easy to just add the permit statement in first, then put the deny statement, but I guess there could be something said for forgetting to do that and subsequently nuking traffic.  Personal preference I guess.

0 Helpful

Go to solution
johnlloyd_13
Level 9
Level 9
In response to Marvin Rhoads

‎01-06-2015 07:28 PM

marvin,

this is very informative! +5

will consider this on my new ASA builds.

0 Helpful

Go to solution
internodetech
Level 1
Level 1

‎01-06-2015 11:06 AM

 "access-list outside_access_in extended permit icmp any any

access-group outside_access_in in interface outside"

 

In addition to ping, ICMP  is also needed for proper path mtu operation. Although he could've been more specific on which ICMP messages he allowed in that ruke, he may have enabled ICMP to troubleshoot issues related to  path MTU. I would keep that in mind when deciding about removing/changing that rule. Also check out how he has ICMP inspection set up too. He may have made changes there as well.

 

 

0 Helpful

Go to solution
Collin Clark
VIP Alumni
VIP Alumni

‎01-06-2015 11:55 AM

You are correct in that you do not need the ACL. I typically see this when the person setting it up really didn't understand the security-levels or they did it for logging purposes. I don't see the log keyword so I would bet it was 'try something until it works' and this was one of the things.

For the outside ACL, this would allow anyone to ping any server that has a translation. Typically added for troubleshooting, but should be locked down further. You are correct about the firewall functions when it is to the ASA itself, but the ACL there is for NAT's and not just the ASA itself.

 

Hope it helps.

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card