[c-nsp] ASA

Joshua Riesenweber joshua.riesenweber at outlook.com
Wed Feb 11 15:33:43 EST 2015


Thanks David and Matt for clearing that up.
I only mention it because, in the OP's case, he has an ACL applied to the outside interface. So, it would seem more pertinent than the security levels (at least in the direction outside>inside).


Cheers,Josh

> Date: Wed, 11 Feb 2015 14:00:28 -0500
> From: dwhitejr at cisco.com
> To: matt.addison at lists.evilgeni.us
> CC: joshua.riesenweber at outlook.com; dale.shaw+cisco-nsp at gmail.com; madunix at gmail.com; cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] ASA
> 
> Hi Matt,
> 
> You are correct.  Once you apply an ACL (any ACL) to an interface, there
> is an implicit "deny ip any any" at the end of that ACL.  So, that will
> always take effect when an ACL is applied.  It isn't a function of
> security levels, but rather the ACL itself.
> 
> Security levels do a few things:
> 1) permit (or deny) traffic - when no ACLs are applied -- that is what
> we have mainly been talking about here
> 2) Determine if you can administer the ASA via that interface over
> Telnet (a legacy rule, but still there)
> 3) Affect some policy actions:  ie - service reset[inbound|outbound]
> 4) Affect connection display information
> 
> and a few more...
> 
> But, the most noticeable to most people is indeed the permission of
> traffic based on the security level.
> 
> Sincerely,
> 
> David.
> 
> On 2/11/2015 1:33 PM, Matt Addison wrote:
> > Maybe this is a semantics thing, but isn't implicit rule of 'allow to
> > any less secure interface' replaced by an implicit deny once you apply
> > an inbound access-list to an interface? To some people that might be
> > considered negating the security level of the interface (since the
> > security level doesn't really do anything anymore). Once you have
> > inbound ACLs everywhere you may as well not even have security
> > levels.Hopefully today will be the day I learn there's a knob to turn
> > that implicit deny into an implicit allow-to-less-secure which will
> > make me regret all those hours spent tuning DMZ inbound access-lists.
> >
> > On Wed, Feb 11, 2015 at 8:57 AM, David White, Jr. (dwhitejr)
> > <dwhitejr at cisco.com> wrote:
> >> On 2/11/2015 7:29 AM, Joshua Riesenweber wrote:
> >>> This has a few good examples:http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/acl_extended.html
> >>> I might very well be wrong, but I believe the security levels are negated if an access list is applied to an interface.
> >> That is incorrect.  Security levels are not negated or affected by
> >> applying an ACL (or not) to an interface.
> >>
> >> Sincerely,
> >>
> >> David.
> >>
> >>> Cheers,Josh
> >>>> Date: Wed, 11 Feb 2015 20:43:37 +1100
> >>>> From: dale.shaw+cisco-nsp at gmail.com
> >>>> To: madunix at gmail.com
> >>>> CC: cisco-nsp at puck.nether.net
> >>>> Subject: Re: [c-nsp] ASA
> >>>>
> >>>> Hi madunix,
> >>>>
> >>>> On Wed, Feb 11, 2015 at 7:26 PM, madunix at gmail.com <madunix at gmail.com>
> >>>> wrote:
> >>>>> I would like to block the following ports: 135,137,138,139,445,593,4444
> >>>>>  tcp/udp on my Firewall
> >>>> [...]
> >>>>
> >>>> Well, what you need to do, is figure out how to block those ports, perhaps
> >>>> by modifying the 'in' access-list you've applied to your outside interface.
> >>>> You might even need to Google That.
> >>>>
> >>>> That's assuming it's that direction (outside > inside) that you want to
> >>>> block the traffic.
> >>>>
> >>>> Cheers,
> >>>> Dale
> >>>> _______________________________________________
> >>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
> >>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
> >>> _______________________________________________
> >>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >>> https://puck.nether.net/mailman/listinfo/cisco-nsp
> >>> archive at http://puck.nether.net/pipermail/cisco-nsp/
> >> _______________________________________________
> >> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >> https://puck.nether.net/mailman/listinfo/cisco-nsp
> >> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
 		 	   		  


More information about the cisco-nsp mailing list