Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

access rules in Security Policy through ASDM

Posted on 2008-10-18
9
862 Views
Last Modified: 2013-11-16
Hi Experts,

I've have a bunch of incoming rules (WAN) which I have changed to Action DENY and still able to access the internet. Shouldn't  I be denied accessing the internet by ASA if I put my incoming rules (WAN) deny status?

The question then is, what do you use the 'access rules' under Security Policy in Cisco ASDM for ?
Now it got to a point Am i better of using CLI to create my access rules rather than spending time ASDM creating accessing rules which doesn't seems to work.
0
Comment
Question by:mcse2007
  • 4
  • 4
9 Comments
 
LVL 5

Assisted Solution

by:rexxus
rexxus earned 100 total points
ID: 22748256
My understanding is that all inside to outside traffic is explicitly permitted, the outgoing packet sets up a state table rule allowing the answering incoming packet, the state table is processed before the inbound ACL's, so to stop this behaviour you have to deny outbound traffic to servers you don't want and permit everything else
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 300 total points
ID: 22750069
WAN (outside) access-rules only apply to packets originating on the outside coming in. Use these to allow things like email to your mail server, www requests to your www server, etc.

The default inside access rule is permit ip any any, you don't see it in the cli or config.
In ASDM, you can add rules to the inside interface to block internal users from getting out.


0
 
LVL 7

Author Comment

by:mcse2007
ID: 22750804
WAN (outside) access-rules only apply to packets originating on the outside coming in. Use these to allow things like email to your mail server, www requests to your www server, etc.
 [mcse2007] if I permit only outbound traffic like internet access, then i don't need this rule. Yes?

The default inside access rule is permit ip any any, you don't see it in the cli or config.
[mcse2007]  this explains I cannot see the inside access rule in the running config.
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
LVL 79

Expert Comment

by:lrmoore
ID: 22752030
> if I permit only outbound traffic like internet access, then i don't need this rule. Yes?
Correct.
By default, all traffic from higher security (inside) to lower security interface (outside) is allowed.
Once it goes out, a dynamic rule is created to allow the returning traffic to come in.
Only apply an acl to restrict specific traffic going out.

0
 
LVL 7

Author Comment

by:mcse2007
ID: 22754670
>Only apply an acl to restrict specific traffic going out.
I deleted my WAN (incoming) rules - see enclosed - then save the changes but now I cannot connect to the internet .

I thought that WAN (incoming) traffic rules are meant to be created to access your webmail, your website from outside. But, without my WAN (incoming) access rules, no internet traffic gets into my LAN.
WAN.JPG
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22754691
What version ASDM/PIXOS?
Can you post the text config?
0
 
LVL 7

Author Comment

by:mcse2007
ID: 22754707
I'm using Cisco ASDM 5.2(3), ASA version 7.2(3)
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22756858
Do you have any access-group commands in the config?
Can you post your config?
0
 
LVL 7

Author Comment

by:mcse2007
ID: 22757492
I'll post the config as soon as I get into the office tomorrow. BTW, what are access-group commands forand their purpose (eg good or bad).
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco 3650 switch 7 45
Draytek (Site to Site VPN using IPSec) 6 36
Confirming a network firewall is blocking connections to a port 7 45
ASA 5506X create a simple DMZ 4 26
There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question