05-25-2012 06:29 AM - edited 03-11-2019 04:11 PM
In a scenerio where an ASA has a Guest interface (security level 50) has only a single OUT acl applied (access-list guest.out extended deny ip any any / access-group guest.out OUT interface guest) and an outside interface (security level 0) connected to the Internet with only an IN acl applied to it with no rules in the ACL pertaining to traffic destined to the guest network, will devices on the guest network still be able to initiate connections / access devices on the Internet? Is the answer 'yes' becuase there is no IN ACL applied to the guest interface and SPI will permit the return traffic, or is the answer 'no' because the OUT ACL on the guest interface will prevent the return traffic in spite of the IN ACL?
Thanks.
05-25-2012 06:34 AM
The answer is NO because your Guest interface has lower security level than the Internet interface. By default, traffic from low to high security level will require NAT statement as well as access-list to allow traffic to go in that direction.
The OUT (outbound ACL) will be applied to traffic initiated from other interfaces going towards the Guest interface. Return traffic on ASA firewall will not be checked as ASA maintain a session table hence return traffic will always be allowed.
05-25-2012 06:37 AM
OK, ignore my previous reply. I thought I saw security level 100 earlier in your post for Internet interface.
Let me try again:
The answer is YES this time as traffic from high to low security level is permitted by default.
Devices on the guest network can initiate traffic towards the Internet.
05-25-2012 06:53 AM
Thanks. I did originally have the incorrect security level in my question. So in that 1st scenerio, the OUT acl on the guest interface will not have an effect on the return traffic initiated by devices on the guest network destined for the internet - the OUT acl only affects (denies) attempts from any device to initiate a connection into the guest network?
One more scenerio, again, same guest network, except in this scenerio, the guest interface (sec level 50) doesnt have an OUT acl applied, but rather an IN acl with 2 rules,
access-list guest.out extended permit ip any any
access-list guest.out extended deny ip any any
access-group guest.out IN interface guest
And the outside interface (sec level 0) has an IN acl with no rules pertaining to traffic destined to the guest network but also an OUT acl:
access-list outside.out extended permit tcp any any eq www
access-list outside.out extended deny ip any any
access-group outside.out OUT interface outside
Will devices on the guest network be able to A) reach any device on the Internet becuase of the IN acl on the guest interface or B) be restricted to only accessing devices on the Internet via www (80/tcp) becuase of the OUT acl on the outside interface?
Thanks.
05-25-2012 10:29 AM
Hi
From your questions:
Will devices on the guest network be able to A) reach any device on the Internet becuase of the IN acl on the guest interface or B) be restricted to only accessing devices on the Internet via www (80/tcp) becuase of the OUT acl on the outside interface?
access-list guest.out extended permit ip any any
access-list guest.out extended deny ip any any
access-group guest.out IN interface guest
The answer is A -
Explanation: There is an explicit deny ip any any but since ASA behaviour is to allow high security to low (guest to internet), ASA will allow the return traffic with is the adaptive security behavior of ASA.
05-25-2012 11:23 AM
So in the 2nd scenerio, the OUT acl on the outside interface will have no effect on traffic from the guest network? Only the IN acl on the guest interface affects guest device traffic?
05-25-2012 11:48 AM
Hi
Sorry forget about my previous reply. Please see my response below instead.
Your Guest network will only work or can access port 80 to any host in Internet since you have explicitly blocked the outbound access of from Internet (outside interface) on your extended access-list.
access-list outside.out extended permit tcp any any eq www
access-list outside.out extended deny ip any any
access-group outside.out OUT interface outside
05-25-2012 12:09 PM
Thanks!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide