outside acess-lsit

[cormon]

Hello Lads,

I have a quick question in relation to outside access-list applied to the the external interface. I have an asa 5510 that is connecting some LAN users out to the internet . Very simple set-up just a global nat statement and simple access-list to allow the users out.

Here is my question , as I don't need any traffic to be initiated from the outside world I have not applied an access-list on the outside interface and am working off the premise that traffic cannot flow from a lower security interface to a high security interface without being explicitly defined .Is this a safe assumption as I have read somewhere that this may be an oversight.

Thanks

Kevin

 

[brianinms]

You are correct, as long as you dont have an access-list applied to the outside interface no traffic that originates on the outside can flow inbound.

 

[Arisap]

Your assumption is correct.
But remember that the moment you add any statements to the outside interface, there is an implicit "deny all" at the end of the access list. So if you say, allow inbound TCP port 80, all traffic inbound will be denied except 80. All traffic initiated from the inside to the outside will always be allowed back in, unless explicitly denied. It is very important to remember that all access lists end with an implicit deny.