Solved: I suppose you mean the

informaticien9 · ‎09-09-2014

Hi there,

I have two VLANs : VLAN 1= Inside VLAN 2= outside

I need to implemente ACL rules using ASDM 6.5 with this conecpt:

1- Deny all the traffic from inside to outside ,execpt for : HTTP,HTTPS ,POP3,SMTP ,IMAP4,FTP,FTP-DATA,DNS will be autorised to acces internet ,email and external ftp server

2 - Deny all the traffic from outside to inside

is it correct please to create two rules for inside interface by ASDM as below and in this order?

Inside incoming rules :

a- Source: (any) | Destination: (any) | Service: (http/https/POP3,SMTP,IMAP4,FTP,FTP-DAT,DNS) | Action: Permit

b- Source: (any) | Destination: (any) | Service: (IP) | Action: deny

outside incoming rules :

c- Source: (any) | Destination: (any) | Service: (IP) | Action: deny

Thanks in advance

Marius Gunnerud · ‎09-09-2014

You only need one rule:

a- Source: (any) | Destination: (any) | Service: (http/https/POP3,SMTP,IMAP4,FTP,FTP-DAT,DNS) | Action: Permit

There is an implicit deny at the end of all access-lists, and traffic is by default denied from an interface with a lower security level to a higher security level.

So, assuming that you have configured your outside interface with a security level of 0 (which you should have) and your inside network with a security level of anything higher than 0 (usually inside network has a security level of 100...but this is not always the case) then traffic coming in on the outside interface and going to the inside interface will be dropped.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Marius Gunnerud · ‎09-15-2014

If you ONLY want to allow FTP from inside to the outside you just need to add an ACL permitting that traffic and nothing more. there is an implicit deny at the end of all ACLs so if traffic doesn't match the IPs and protocol it is dropped.

access-list TEST permit tcp 10.10.10.0 255.255.255.0 any eq ftp

access-group TEST in interface inside

The above will only permit FTP from subnet 10.10.10.0/24, all other traffic will be dropped.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Marius Gunnerud · ‎09-09-2014

You only need one rule:

a- Source: (any) | Destination: (any) | Service: (http/https/POP3,SMTP,IMAP4,FTP,FTP-DAT,DNS) | Action: Permit

There is an implicit deny at the end of all access-lists, and traffic is by default denied from an interface with a lower security level to a higher security level.

So, assuming that you have configured your outside interface with a security level of 0 (which you should have) and your inside network with a security level of anything higher than 0 (usually inside network has a security level of 100...but this is not always the case) then traffic coming in on the outside interface and going to the inside interface will be dropped.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

informaticien9 · ‎09-11-2014

Thanks for your help,

question please : can you explain me the goal of inside outgoing rules and outside outgoing rules and how to use them?

thanks

Marius Gunnerud · ‎09-11-2014

I suppose you mean the directions in which the ACLs are applied to the interface?

If so, it has to do with when you want traffic to be matched against the configured rules. Normally you will only be applying an ACL in the ingress direction (traffic entering the ASA). However, it is possible that you might be required (for whatever reason) to match traffic against configured rules when it egresses the ASA interface (traffic leaving the ASA). I personally have never configured an ASA in this manner but have seen it done in some setups. It is usually done to either simplify the administration of the ASA, or due to the engineers lack of knowledge of how the ASA works.

For the administration side of things, lets say you have 3 interfaces on the ASA connecting to 3 different networks. Each network has several subnets. 2 of the networks should be allowed to communicate freely between eachother while access to the third should be restricted to certain IPs or subnets. so instead of having to configure permit and deny rules on two interfaces you can configure rules on one interface effectively reducing your work by 50%.

This is not a best practice and I would not recommend it, but from an operations standpoint it is a viable solution.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

informaticien9 · ‎09-15-2014

OK thanks alots Marius Gunnerud,

how to deny all traffic from inside to outside for example (allow only access to an external FTP) ?

thanks

Marius Gunnerud · ‎09-15-2014

If you ONLY want to allow FTP from inside to the outside you just need to add an ACL permitting that traffic and nothing more. there is an implicit deny at the end of all ACLs so if traffic doesn't match the IPs and protocol it is dropped.

access-list TEST permit tcp 10.10.10.0 255.255.255.0 any eq ftp

access-group TEST in interface inside

The above will only permit FTP from subnet 10.10.10.0/24, all other traffic will be dropped.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Try understand implicit rules ASA5505