Smart questions
Smart answers
Smart people
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Member Login




Remember Me
Forgot Password?
Join Us!

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips now!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

Join Tek-Tips
*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.
Jobs from Indeed

Link To This Forum!

Partner Button
Add Stickiness To Your Site By Linking To This Professionally Managed Technical Forum.
Just copy and paste the
code below into your site.

JMCraig (Programmer) (OP)
17 Aug 09 20:11
Hi Folks,

I thought I knew my way around my old PIX 501s pretty well, but this ASA 5505 has some curves I (apparently) haven't figured out.

Looking at the GUI ASDM program, it shows an implicit ACL rule for my vlan2 (inside):

permit
service: ip
source: any
destination: any less secure network

The accompanying comment (which I assume is generated by the GUI since there's no access-list inside-access-in entries in the "show running" terminal-style output) says "Implicit rule: Permit all traffic to less secure networks" -- Huh? How does permitting traffic to less secure networks go with an incoming rule? If the traffic is going to a less secure network (e.g. the dmz or the outside), is that not outgoing?

Now, I know everyone who knows their way around these ASA 5505 boxes uses the terminal interface exclusively, but I'm just trying to get my head around the concepts of these implicit rules.

If I put any kind of incoming rule on, should I expect it to stop all outgoing traffic--unless I add an explicit rule to allow outgoing traffic to the dmz or outside vlans? Same with outgoing: if I put on a deny rule for traffic I don't want to get out, do I also have to add an explicit "let everything else out" rule?

Thanks!

John

John Craig
Alpha-G Consulting, LLC
www.alphagconsulting.com
 

VinceWhirlwind (TechnicalUser)
17 Aug 09 23:27
I've configured a heap of those 5505s over the last little while and I must say I don't think I've ever looked at the Web-based GUI thing, although I hear it is very clear and easy to use.
 
The implicit rule you describe is no doubt the implicit rule that allows your VLANs with a higher security level to talk with VLANs on a lower one.
I guess it is "incoming" because the 5505 is all about virtual interfaces, not physical ones, so all traffic is "incoming" to a VLAN interface.
 
The config  looks like this:
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 10.191.97.1 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
Helpful Member!  Supergrrover (IS/IT--Management)
18 Aug 09 13:02
the implicit rule is applied inbound to the inside interface. it has nothing specific to do with vlans. if you apply a specific acl to an interface there is an implied deny any any at the end. be sure to explicitly allow any traffic you want or it will be blocked.
the acl is processes top down and the first match wins.

the asa will inspect all traffic and allow return traffic the matches the temporary inbound acls.

Brent
Systems Engineer / Consultant
CCNP, CCSP

JMCraig (Programmer) (OP)
18 Aug 09 14:53
Thanks VinceWhirlwind and Supergrrover.

What's puzzling to me is that the implicit rule goes away as soon as you put in any kind of explicit rule (as per Supergrrover's explanation). That's very odd-seeming, but next time I'll know to put in the explicit allow any/any rule and then put the restrictions above that. Just BTW, in general, I'd say the ASDM GUI is pretty good. It sure makes it easy to see the ACL rules in top-down order, for sure.

Now, I still do not get how the "implicit rule is applied inbound" when the description talks about allowing traffic to (not from) lower-security interfaces--but that whole to/from thing isn't handled consistently anyway. Does the implicit any/any rule on the inside interface really allow incoming traffic without restriction from the outside interface? Maybe it does and all the restrictions typically go on the outside interface.... So does that implicit rule mean that unless you change the settings, anything that gets into the outside interface can get through to the inside interface?

At any rate, I think I have enough info to get on with the configuration without shooting myself in the foot quite so badly as I was doing a couple of days ago. Thanks again.

John

John Craig
Alpha-G Consulting, LLC
www.alphagconsulting.com
 

Supergrrover (IS/IT--Management)
18 Aug 09 17:45
traffic from the inside network going into the inside interface is what is being filtered with the inbound rule. it basically lets traffic into the device to be acted upon for vpn, policy, routing, etc.

traffic headed in the outside interface is filtered by the outside interface acl doing the same as above just different interface. it will all traffic to go to the inside or dmz from the outside by passing it through the device

Brent
Systems Engineer / Consultant
CCNP, CCSP

JMCraig (Programmer) (OP)
18 Aug 09 18:35
Ah, incoming (into the ASA device) from the network ports assigned to the inside interface--nope, I never would have figured that out. Big help; thanks! (That's not how I would have described it if I were King of IP terminology; just another thing to all be grateful for.)

John Craig
Alpha-G Consulting, LLC
www.alphagconsulting.com
 

VinceWhirlwind (TechnicalUser)
18 Aug 09 21:28
Supergrrover, this is a side issue from the direction of the acl, but I have to pick you up on
the implicit rule is applied inbound to the inside interface. it has nothing specific to do with vlans.
  
On a 5505 the "Inside" interface *is* a VLAN interface so it has *everything* to do with VLANs.
As you can have multiple ports configured to each VLAN it's less ambiguous to talk about "VLANs" because this makes it clear you are not talking about any physical interfaces which is exactly what a novice could get confused about on these boxes.
Supergrrover (IS/IT--Management)
19 Aug 09 1:16
Vince,

My issue was with this statement - "I guess it is "incoming" because the 5505 is all about virtual interfaces, not physical ones, so all traffic is "incoming" to a VLAN interface."

The idea of "inbound" and the implicit rule has nothing to do with a vlan versus a physical interface and everything to do with the security level and where the traffic originates. The ASA (contextually) sees VLANs and physical interfaces as the same from that standpoint. It is a security level segregation - higher allowed to lower. Saying that it is "VLAN based" is misleading. You assigned the VLAN to a physical interface so it is entering the device via that interface. The security level is then assigned by that VLAN or the physical interface level if there is no vlan tag.

You name the interfaces (VLAN/virtual or physical) so you can keep track of the traffic origin and how the ASA deals with it.

When you work with bigger hardware like the 5550, 5540, etc. the physical interface can be assigned multiple vlans all with different security levels and the physical interface can be assigned it's own different security level or no vlans at all. That security based rules are still there in all cases.

The world is bigger than a 5505, why limit someone's understanding of what's really going on internally.

 

Brent
Systems Engineer / Consultant
CCNP, CCSP

VinceWhirlwind (TechnicalUser)
19 Aug 09 3:24
If they need to understand 5505s, there's no point telling them about stuff that's specific to non-5505 ASAs....
 
Let's just be clear on the difference because there seems to be some confusion:
5505 - inbuilt Layer2 switch, no subinterfaces, 802.1q configured with "switchport mode trunk" (Premium licence only), IP configured exclusively on virtual interfaces.
 
So no more telling people with 5505s to configure subinterfaces...
  
Supergrrover (IS/IT--Management)
19 Aug 09 23:32
Vince,
Trust me, the confusion is on your part.

1. There is no "Premium licence" - I think you mean a "Security Plus License"

2. I never told anyone to config a "sub interface." I explained what was happening using only "interface" and you (erroneously) jumped all over it.

3. I never mentioned a physical interface until I had to correct you. I spoke of interfaces in general. As does Cisco with their own documentation regarding a 5505. - http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/int5505.html#wp1054877

4. If you have configed a 5505 then you will be familiar with these commands -
interface Vlan1
 nameif inside  *** Short for "Name Interface"
 security-level 100
access-list 101 extended permit tcp any interface outside eq www  *** pretty clear reference here
static (inside,outside) tcp interface www 172.27.2.1 www netmask 255.255.255.255 *** Check any config guide and this will reference interfaces - http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s8_72.html#wp1202525
access-group 101 in interface outside *** again pretty clear reference here

Again I restate my issue of your lack of understanding
"I guess it is "incoming" because the 5505 is all about virtual interfaces, not physical ones, so all traffic is "incoming" to a VLAN interface."


It has nothing to do with VLANS "only" nor that it must be inbound to a VLAN because you can go outbound as well. - http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/a1_72.html#wp1440089

The ASA deals with interfaces. Physical or VLAN is irrelevant - 5505 or not. So lets stop the thread jacking and get JMCraig up and running and give him a deeper understanding so maybe he can help people here some day.
 

Brent
Systems Engineer / Consultant
CCNP, CCSP

JMCraig (Programmer) (OP)
20 Aug 09 14:50
OK. Questions of vlan vs. interface terminology aside, it turns out (given the clearer understanding of what "incoming" means--into the ASA 5505 from a device connected to the inside interface), I don't need to do anything with the implied rules. But, again, just to get the concepts straight in my head, I attempted to replace the implied rule with one like this:

incoming rules:
source:
  any
destination:
  outside
service:
  ip
action:
  permit

Well, that effectively cut off access from all the devices connected to the ASA 5505's inside interface to the Internet. With that rule in place, the ASA blocks (via the default inside interface incoming deny/any/any rule) pings to the ISPs DNS servers; web servers on the Internet; and anything else you care to name. It does not seem that my explicit rule is getting attended to at all.

Now, leaving aside the dmz interface for the time being, and just thinking about inside & outside interfaces, how is the above rule any different from the implied one, that shows up this way:

incoming rules:
source:
  any
destination:
  Any less secure network
service:
  ip
action:
  permit

Obviously, the outside interface (security level 0) is less than the inside interface (level 100), but why does the explicit rule not do what the implied rule does?

The only difference I can see is that in the explicit rule, I've named a specific interface; in the implied rule, it does use the term "network" rather than interface. Am I misusing the outside interface as the destination? Should it be something else--an actual subnet, for instance? (Which obviously would not be practical when you want to get to any public IP you happen to be interested in, at the moment.)


 

John Craig
Alpha-G Consulting, LLC
www.alphagconsulting.com
 

Supergrrover (IS/IT--Management)
21 Aug 09 0:37
Outside in that case means the outside interface IP. You should be thinking networks

Interface = Inside
Direction = incoming
Action = Permit
Source =
  Type = IP Address
  IP Address = click the [...] button and select "inside-network"
destination =
  Type = IP Address
  IP Address = Any
Protocol or Service = ip

This will allow traffic from the inside network out to the internet at large (destination is any ip address, the default route will tell it to send it out to the default gateway for networks that are not known to the ASA)

Kill that example and now do this line -

Interface = Inside
Direction = incoming
Action = Deny
Source =
  Type = IP Address
  IP Address = click the [...] button and select "inside-network"
destination =
  Type = IP Address
  IP Address = Any
Protocol or Service = tcp
  Source port = any
  Destination port = http/www

and then add the one from above right after it.

You will block all http/www traffic out to the internet but allow everything else. You can do this for Groups as an option (set up allowed services outbound) and allow only specific access to the internet or to a specific group of servers. A good practice; once you get it all thought out. I only allow needed services and block everything else. I only permit smtp to specific servers, etc. to keep spamming to a zero. There is all sorts of power here.

Get a good handle on ACLs and then you can start VPNs and inspection policies. smile

I strongly recommend the CLI - It's more powerful and once you get good at it you can charge $$$.

 

Brent
Systems Engineer / Consultant
CCNP, CCSP

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close