ASA Implicit Rule “Permit all traffic to less secure networks” ACL

When adding a new network interface to the ASA, you must specific a security level.  Based off this security level, the default ACL allows you to access “less secure” networks, and denies access to “more secure” networks.  This default rule works great until you need to implement a security zone with specific access to different zones.  For example, a DMZ would have a security level of 50 (access to outside, implicit deny to inside).  When we need to add an ACL to permit certain access to the inside, the implicit “Permit all traffic to less secure networks” rule is removed.  We must manually add this in.  I found a great post regarding this setup on the Cisco Support Community which I will copy here for future reference:

“I have an object-group for all my networks. As these are normally in the RFC1918-range, thats my object-group:

object-group network RFC1918
   network-object 10.0.0.0 255.0.0.0
   network-object 172.16.0.0 255.240.0.0
   network-object 192.168.0.0 255.255.0.0

Next on all interfaces I have two logical sections:

access-list DMZ-ACCESS-IN permit tcp object DMZ-HOST object INSIDE-HOST eq 80
access-list DMZ-ACCESS-IN deny ip any object-group RFC1918
access-list DMZ-ACCESS-IN permit tcp object DMZ-HOST any eq 25

Everything above the deny-line is for the communication to my own networks. In the lines below the deny I can now use the keyword “any” which is the internet in this case as all communication to internal networks has been filtered out. If I later add an additional interface with  a private network nothing has to change in my existing ACLs to block access to that network.”

Original post can be found here: https://supportforums.cisco.com/thread/2171251

Advertisements