Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
490
Views
5
Helpful
2
Replies

Quick ACL question on ASA

Go to solution
galloway13
Level 1
Level 1

‎04-13-2011 05:25 AM - edited ‎03-11-2019 01:20 PM

I think I know the answer to this but just wanted to confirm it.

If I am using an ASA5505, and I have a configuration similar to below, I see that the untrusted interface is only allowed to ftp to 192.168.1.5. Since the trusted interface is not limited to ftp only can it basically run any protocol it wants to 10.20.30.2, or does it get limited to only ftp by the other ACL on returning packets.

Also, is the ACL applied to the interface because the ACL's name is the name of the interface?

interface gig1/1

nameif trusted

security-level 100

ip address 192.168.1.2

interface gig1/2

nameif untrusted

security-level 0

ipaddress 10.20.30.1

access-list trusted extended permit ip host 192.168.1.5 host 10.20.30.2

access-list untrusted extended permit tcp host 10.20.30.2 host 192.168.1.5 eq ftp

Thanks,

Jay

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Shrikant Sundaresh
Cisco Employee
Cisco Employee

‎04-13-2011 05:31 AM

Hi Jay,

The access-list needs to be applied to an interface. You use the access-group command to do that.

access-group interface

ex: access-group trusted in interface trusted would apply the "trusted" access-list on the trusted interface.

For TCP traffic, the replies are allowed without checking the ACL entry. So it is not restricted to only FTP for the trusted side.

The reason is, that a connection entry already exists when the initial SYN packet goes from trusted to untrusted.

When return traffic comes, first the connection table is looked up. If a connection entry is not found,  then only will the access-list be checked. If the entry is found, then traffic is allowed to go through.

Thus for things like ICMP(which is non-TCP), you need to have "inspect icmp" in the global policy map, else the ICMP replies are denied, since only ftp is allowed from untrusted to trusted access-list.

Hope this helps.

-Shrikant

P.S.: Please mark the question as answered, if it has been resolved. Do rate helpful posts. Thanks.

View solution in original post

2 Replies 2

Go to solution
Shrikant Sundaresh
Cisco Employee
Cisco Employee

‎04-13-2011 05:31 AM

Hi Jay,

The access-list needs to be applied to an interface. You use the access-group command to do that.

access-group interface

ex: access-group trusted in interface trusted would apply the "trusted" access-list on the trusted interface.

For TCP traffic, the replies are allowed without checking the ACL entry. So it is not restricted to only FTP for the trusted side.

The reason is, that a connection entry already exists when the initial SYN packet goes from trusted to untrusted.

When return traffic comes, first the connection table is looked up. If a connection entry is not found,  then only will the access-list be checked. If the entry is found, then traffic is allowed to go through.

Thus for things like ICMP(which is non-TCP), you need to have "inspect icmp" in the global policy map, else the ICMP replies are denied, since only ftp is allowed from untrusted to trusted access-list.

Hope this helps.

-Shrikant

P.S.: Please mark the question as answered, if it has been resolved. Do rate helpful posts. Thanks.

Go to solution
galloway13
Level 1
Level 1
In response to Shrikant Sundaresh

‎04-13-2011 05:40 AM

Thank you very much for the response.  That was what I thought was going to happen.

Also thanks for reminding me about the access-group.  Guess I should wake up a bit more before asking questions!

Thanks again.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card