Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
389
Views
0
Helpful
2
Replies

ACLs on ASA

kapishmohole.cisco
Level 1
Level 1

‎06-25-2006 04:02 AM - edited ‎02-21-2020 01:00 AM

hi,

few very basic questions about ASA series.

In PIX it easy to configure access control with just one inbound ACL on each interface, and with simple rule of editing ACL witch is closet to source. Now in ASA we have both ?in? and ?out? these are confusing for me.

Can you tell me what is the difference in purpose of these two, and how the flow is controlled, In other words, when and which ACL to edit/use to put certain restrictions/permission.

If I want to permit some traffic from outside to inside, then I get four options to place ACL ? inside ?in? & ?out?, outside ?in? & ?out?. Which is the right place here.

On any interface - in ?in? ACL where from the traffic is expected to come and where it goes. What are the direction rules. Same way how is it in ?out?.

PIX/ASA allows any traffic/connection from inside to outside, do I need to create ACL entry to allow reply packet (not ICMP, any other tcp/udp connection). When no ACL on interface any connection from high security to low security is allowed, after applying ?in? ACL on high sec level interface, do I need to permit connections from high sec to low sec, what about any connection that is not listed in the ACL though its from high to low sec.

0 Helpful
2 Replies 2

a.kiprawih
Level 7
Level 7

‎06-25-2006 06:06 AM

Hi,

Q - In PIX it easy to configure access control with just one inbound ACL on each interface, and with simple rule of editing ACL witch is closet to source. Now in ASA we have both ?in? and ?out? these are confusing for me. Can you tell me what is the difference in purpose of these two, and how the flow is controlled, In other words, when and which ACL to edit/use to put certain restrictions/permission.

A - "in" (inbound) or "out" (outbound) refer to the application of an access list on an interface, either to traffic entering the security appliance on an interface or traffic exiting the security appliance on an interface. These terms do not refer to the movement of traffic from a lower security interface to a higher security interface, commonly known as inbound, or from a higher to lower interface, commonly known as outbound.

So, if you apply ACL with 'IN' keyword, it means that you control traffic coming into an interface and exits through other interfaces, e.g for outside traffic coming into dmz/inside, you need to apply the ACL as "access-group OUTSIDE in interface outside". If you use keyword 'OUT', it means you are controlling traffic going out from an interface, e.g "access-group OUTSIDE out interface dmz"

http://www.cisco.com/en/US/partner/products/ps6120/products_configuration_guide_chapter09186a008054e801.html

Q - If I want to permit some traffic from outside to inside, then I get four options to place ACL ? inside ?in? & ?out?, outside ?in? & ?out?. Which is the right place here. On any interface - in ?in? ACL where from the traffic is expected to come and where it goes. What are the direction rules. Same way how is it in ?out?.

A - Apply ACL on the outside interface in INBOUND (in) mode. This is to control incoming traffic into firewall from OUTSIDE interfac into inside or dmz segment. The direction rules are, any traffic/access from lower security to higher security level need ACL and static address mapping.

Q - PIX/ASA allows any traffic/connection from inside to outside, do I need to create ACL entry to allow reply packet (not ICMP, any other tcp/udp connection).

A - No, PIX/ASA will automatically allow return-traffic based on information available in connection/translation table.

Q - When no ACL on interface any connection from high security to low security is allowed, after applying ?in? ACL on high sec level interface, do I need to permit connections from high sec to low sec, what about any connection that is not listed in the ACL though its from high to low sec.

A - BY default, PIX/ASA permit traffic from higher to lower interface. If you have ACL applied on inside interface, it will only allowed outbound traffic (to outside/dmz) based on services listed in ACL.

Rgds,

AK

0 Helpful

grant.maynard
Level 4
Level 4

‎06-27-2006 12:29 AM

Just stick to using inbound ACLs as before.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card