Solved: Replace "permit any any" with more precise rules without causing issue

MarcoLazzarotto · ‎01-17-2022

On my ASA I have a network interface on a production VLAN, and that network interface has an ACL where the only rules is a "access-list ... permit ip any any" (because of how was implemented in the past).

Now, for some sort of compliance, I have to remove that stupid rule and instead write down a long list of rules to "segregate" the VLAN.

Since I have the ASA logging to ElasticSearch, I can easily query Elastic to find what rules to apply, easy.

Hence the question: when I will write down the long list of rules, at the bottom I will keep the "permit ip any any" to prevent issues with the production, because I may forgot to add some rule.

How do i know which connections the last rule (permit ip any any) in the list has been applied to?

I could check how many hitcnt I see on the last rule, but I wouldn't be able to determine what rules I'm missing.

Rob Ingram · ‎01-17-2022

@MarcoLazzarotto log traffic for the "permit ip any any" rule and send these to your syslog server. "When the log option is specified, it generates syslog message 106100 for the ACE to which it is applied. Syslog message 106100 is generated for every matching permit or deny ACE flow that passes through the ASA Firewall."

https://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/63884-config-asa-00.html

You can then filter on that rule/syslog message and determine whether you wish to create additional rules to permit that traffic.

View solution in original post

Rob Ingram · ‎01-17-2022

@MarcoLazzarotto log traffic for the "permit ip any any" rule and send these to your syslog server. "When the log option is specified, it generates syslog message 106100 for the ACE to which it is applied. Syslog message 106100 is generated for every matching permit or deny ACE flow that passes through the ASA Firewall."

https://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/63884-config-asa-00.html

You can then filter on that rule/syslog message and determine whether you wish to create additional rules to permit that traffic.

MarcoLazzarotto · ‎01-17-2022

Thank you so much @Rob Ingram! This is exactly what I need!

Funny thing is that I already have a couple of ACL with a rule with the "log" option (this is not fully managed by me), but I never found that until now.

MarcoLazzarotto · ‎04-04-2022

Hello @Rob Ingram ,

I did like you suggested, and the ASA is logging all the connections.

In the following example, I added the log option on a permit ip 10.1.10.0 255.255.255.0 any rule at the bottom of the ACL "prod-linux_acl".

I can find this on the logs, which is fine:

access-list prod-linux_acl permitted tcp prod-linux/10.1.10.10(57822) -> prod-vpn/10.3.33.33(3389) hit-cnt 1 first hit [0x3bd17c0e, 0x00000000]
                                                    |      SOURCE   |             | DESTINATION  |

but I can also find this kind of logs, which are logs for return connections:

access-list prod-linux_acl permitted tcp prod-linux/10.1.10.10(8443) -> prod-vpn/10.3.33.33(60409) hit-cnt 1 first hit [0x3bd17c0e, 0x00000000]
                                                    | DESTINATION  |            |    SOURCE      |

As you can imagine, I only need logs from the first type. How can I differentiate "straight" connections from "return" connections?

Thank you for your help