[c-nsp] ASA

Matt Addison matt.addison at lists.evilgeni.us
Wed Feb 11 13:33:34 EST 2015


Maybe this is a semantics thing, but isn't implicit rule of 'allow to
any less secure interface' replaced by an implicit deny once you apply
an inbound access-list to an interface? To some people that might be
considered negating the security level of the interface (since the
security level doesn't really do anything anymore). Once you have
inbound ACLs everywhere you may as well not even have security
levels.Hopefully today will be the day I learn there's a knob to turn
that implicit deny into an implicit allow-to-less-secure which will
make me regret all those hours spent tuning DMZ inbound access-lists.

On Wed, Feb 11, 2015 at 8:57 AM, David White, Jr. (dwhitejr)
<dwhitejr at cisco.com> wrote:
> On 2/11/2015 7:29 AM, Joshua Riesenweber wrote:
>> This has a few good examples:http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/acl_extended.html
>> I might very well be wrong, but I believe the security levels are negated if an access list is applied to an interface.
> That is incorrect.  Security levels are not negated or affected by
> applying an ACL (or not) to an interface.
>
> Sincerely,
>
> David.
>
>>
>> Cheers,Josh
>>> Date: Wed, 11 Feb 2015 20:43:37 +1100
>>> From: dale.shaw+cisco-nsp at gmail.com
>>> To: madunix at gmail.com
>>> CC: cisco-nsp at puck.nether.net
>>> Subject: Re: [c-nsp] ASA
>>>
>>> Hi madunix,
>>>
>>> On Wed, Feb 11, 2015 at 7:26 PM, madunix at gmail.com <madunix at gmail.com>
>>> wrote:
>>>> I would like to block the following ports: 135,137,138,139,445,593,4444
>>>>  tcp/udp on my Firewall
>>> [...]
>>>
>>> Well, what you need to do, is figure out how to block those ports, perhaps
>>> by modifying the 'in' access-list you've applied to your outside interface.
>>> You might even need to Google That.
>>>
>>> That's assuming it's that direction (outside > inside) that you want to
>>> block the traffic.
>>>
>>> Cheers,
>>> Dale
>>> _______________________________________________
>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list