[c-nsp] ASA

David White, Jr. (dwhitejr) dwhitejr at cisco.com
Wed Feb 11 14:00:28 EST 2015


Hi Matt,

You are correct.  Once you apply an ACL (any ACL) to an interface, there
is an implicit "deny ip any any" at the end of that ACL.  So, that will
always take effect when an ACL is applied.  It isn't a function of
security levels, but rather the ACL itself.

Security levels do a few things:
1) permit (or deny) traffic - when no ACLs are applied -- that is what
we have mainly been talking about here
2) Determine if you can administer the ASA via that interface over
Telnet (a legacy rule, but still there)
3) Affect some policy actions:  ie - service reset[inbound|outbound]
4) Affect connection display information

and a few more...

But, the most noticeable to most people is indeed the permission of
traffic based on the security level.

Sincerely,

David.

On 2/11/2015 1:33 PM, Matt Addison wrote:
> Maybe this is a semantics thing, but isn't implicit rule of 'allow to
> any less secure interface' replaced by an implicit deny once you apply
> an inbound access-list to an interface? To some people that might be
> considered negating the security level of the interface (since the
> security level doesn't really do anything anymore). Once you have
> inbound ACLs everywhere you may as well not even have security
> levels.Hopefully today will be the day I learn there's a knob to turn
> that implicit deny into an implicit allow-to-less-secure which will
> make me regret all those hours spent tuning DMZ inbound access-lists.
>
> On Wed, Feb 11, 2015 at 8:57 AM, David White, Jr. (dwhitejr)
> <dwhitejr at cisco.com> wrote:
>> On 2/11/2015 7:29 AM, Joshua Riesenweber wrote:
>>> This has a few good examples:http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/acl_extended.html
>>> I might very well be wrong, but I believe the security levels are negated if an access list is applied to an interface.
>> That is incorrect.  Security levels are not negated or affected by
>> applying an ACL (or not) to an interface.
>>
>> Sincerely,
>>
>> David.
>>
>>> Cheers,Josh
>>>> Date: Wed, 11 Feb 2015 20:43:37 +1100
>>>> From: dale.shaw+cisco-nsp at gmail.com
>>>> To: madunix at gmail.com
>>>> CC: cisco-nsp at puck.nether.net
>>>> Subject: Re: [c-nsp] ASA
>>>>
>>>> Hi madunix,
>>>>
>>>> On Wed, Feb 11, 2015 at 7:26 PM, madunix at gmail.com <madunix at gmail.com>
>>>> wrote:
>>>>> I would like to block the following ports: 135,137,138,139,445,593,4444
>>>>>  tcp/udp on my Firewall
>>>> [...]
>>>>
>>>> Well, what you need to do, is figure out how to block those ports, perhaps
>>>> by modifying the 'in' access-list you've applied to your outside interface.
>>>> You might even need to Google That.
>>>>
>>>> That's assuming it's that direction (outside > inside) that you want to
>>>> block the traffic.
>>>>
>>>> Cheers,
>>>> Dale
>>>> _______________________________________________
>>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>> _______________________________________________
>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list