ASA Implicit Rule “Permit all traffic to less secure networks” ACL

When adding a new network interface to the ASA, you must specific a security level.  Based off this security level, the default ACL allows you to access “less secure” networks, and denies access to “more secure” networks.  This default rule works great until you need to implement a security zone with specific access to different zones.  For example, a DMZ would have a security level of 50 (access to outside, implicit deny to inside).  When we need to add an ACL to permit certain access to the inside, the implicit “Permit all traffic to less secure networks” rule is removed.  We must manually add this in.  I found a great post regarding this setup on the Cisco Support Community which I will copy here for future reference:

“I have an object-group for all my networks. As these are normally in the RFC1918-range, thats my object-group:

object-group network RFC1918
   network-object 10.0.0.0 255.0.0.0
   network-object 172.16.0.0 255.240.0.0
   network-object 192.168.0.0 255.255.0.0

Next on all interfaces I have two logical sections:

access-list DMZ-ACCESS-IN permit tcp object DMZ-HOST object INSIDE-HOST eq 80
access-list DMZ-ACCESS-IN deny ip any object-group RFC1918
access-list DMZ-ACCESS-IN permit tcp object DMZ-HOST any eq 25

Everything above the deny-line is for the communication to my own networks. In the lines below the deny I can now use the keyword “any” which is the internet in this case as all communication to internal networks has been filtered out. If I later add an additional interface with  a private network nothing has to change in my existing ACLs to block access to that network.”

Original post can be found here: https://supportforums.cisco.com/thread/2171251

Advertisements

One comment


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s