Solved

access rules in Security Policy through ASDM

Posted on 2008-10-18
9
853 Views
Last Modified: 2013-11-16
Hi Experts,

I've have a bunch of incoming rules (WAN) which I have changed to Action DENY and still able to access the internet. Shouldn't  I be denied accessing the internet by ASA if I put my incoming rules (WAN) deny status?

The question then is, what do you use the 'access rules' under Security Policy in Cisco ASDM for ?
Now it got to a point Am i better of using CLI to create my access rules rather than spending time ASDM creating accessing rules which doesn't seems to work.
0
Comment
Question by:mcse2007
  • 4
  • 4
9 Comments
 
LVL 5

Assisted Solution

by:rexxus
rexxus earned 100 total points
ID: 22748256
My understanding is that all inside to outside traffic is explicitly permitted, the outgoing packet sets up a state table rule allowing the answering incoming packet, the state table is processed before the inbound ACL's, so to stop this behaviour you have to deny outbound traffic to servers you don't want and permit everything else
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 300 total points
ID: 22750069
WAN (outside) access-rules only apply to packets originating on the outside coming in. Use these to allow things like email to your mail server, www requests to your www server, etc.

The default inside access rule is permit ip any any, you don't see it in the cli or config.
In ASDM, you can add rules to the inside interface to block internal users from getting out.


0
 
LVL 7

Author Comment

by:mcse2007
ID: 22750804
WAN (outside) access-rules only apply to packets originating on the outside coming in. Use these to allow things like email to your mail server, www requests to your www server, etc.
 [mcse2007] if I permit only outbound traffic like internet access, then i don't need this rule. Yes?

The default inside access rule is permit ip any any, you don't see it in the cli or config.
[mcse2007]  this explains I cannot see the inside access rule in the running config.
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 79

Expert Comment

by:lrmoore
ID: 22752030
> if I permit only outbound traffic like internet access, then i don't need this rule. Yes?
Correct.
By default, all traffic from higher security (inside) to lower security interface (outside) is allowed.
Once it goes out, a dynamic rule is created to allow the returning traffic to come in.
Only apply an acl to restrict specific traffic going out.

0
 
LVL 7

Author Comment

by:mcse2007
ID: 22754670
>Only apply an acl to restrict specific traffic going out.
I deleted my WAN (incoming) rules - see enclosed - then save the changes but now I cannot connect to the internet .

I thought that WAN (incoming) traffic rules are meant to be created to access your webmail, your website from outside. But, without my WAN (incoming) access rules, no internet traffic gets into my LAN.
WAN.JPG
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22754691
What version ASDM/PIXOS?
Can you post the text config?
0
 
LVL 7

Author Comment

by:mcse2007
ID: 22754707
I'm using Cisco ASDM 5.2(3), ASA version 7.2(3)
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22756858
Do you have any access-group commands in the config?
Can you post your config?
0
 
LVL 7

Author Comment

by:mcse2007
ID: 22757492
I'll post the config as soon as I get into the office tomorrow. BTW, what are access-group commands forand their purpose (eg good or bad).
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question