Lab 1.6 IP ACLs on ASA: Basic issue

Hello,

I'm confusing with a basic issue related to IP ACLs configuration on ASA.

As detailed by INE's solution for this lab, we can see that this lab applies an ACL on the direction from HIGH SECURITY-LEVEL to LOW SECURITY-LEVEL. So basically speaking, we will intervene the automated inspection engine of ASA for above direction, all non-matching traffic (against ACL, going from high security-level to low security-level) will NOT be inspected to dynamically open holes for returning traffic. Yes, I agree.

 

But the question is: Will all non-matching traffic (against ACL, going from high security-level to low security-level) be permitted to go through ASA?

 

I ask this question because INE's solution did not explicitly permit HTTP/FTP traffic going from AAA Server in DMZ to OUTSIDE in outbound ACL but the outside hosts are still able to access these services. :(

Hope someone could help me.

Regards,

Comments

  • The non-matching traffic will be dropped by the implicit deny any any.

     

    With regards

    Kings

  • Hello Kingsley,

    Thanks for your reply, but the outside hosts are still able to initiate HTTP/FTP traffic to Servers on DMZ. It means that HTTP/FTP traffic sourced off Servers can go through ASA without explicitly permission on ACL. I'm stucking on this issue. :(

  •  

    Hello Kingsley,

    Thanks for your reply, but the outside hosts are still able to initiate HTTP/FTP traffic to Servers on DMZ. It means that HTTP/FTP traffic sourced off Servers can go through ASA without explicitly permission on ACL. I'm stucking on this issue. :(

     

    Hi,

    I don't see any reason why traffic from a lower security interface would be allowed to a higher security interface without an inbound ACL explicitly permitting it. Thats impossible.

     

    Thanks.

  • Hi,

       Default rules are as follows: all traffic is allowed and inspected for traffic from high to low security level, all traffic is dropped from low to high security level, traffic between interfaces with same secuerity level is allowed. When you apply an ACL to an interface, inbound or outbound direction, the above rules no loger apply, and traffic will be inspect by the ACL applied (traffic between interface with same security level still needs to be eanbled), traffic conforming with the ACL will pass through and returning traffic is allowed back cause of the stateful firewall nature of the ASA. The SG allows inbound FTP/WWW/NTP traffic on the outside interface and returning traffic is allowed by the stateful firewall and is NOT inspected by the outbound ACL on the outside interface.

    Hope it's clear.

    Good Luck! 

Sign In or Register to comment.