Solved

access rules in Security Policy through ASDM

Posted on 2008-10-18
9
828 Views
Last Modified: 2013-11-16
Hi Experts,

I've have a bunch of incoming rules (WAN) which I have changed to Action DENY and still able to access the internet. Shouldn't  I be denied accessing the internet by ASA if I put my incoming rules (WAN) deny status?

The question then is, what do you use the 'access rules' under Security Policy in Cisco ASDM for ?
Now it got to a point Am i better of using CLI to create my access rules rather than spending time ASDM creating accessing rules which doesn't seems to work.
0
Comment
Question by:mcse2007
  • 4
  • 4
9 Comments
 
LVL 5

Assisted Solution

by:rexxus
rexxus earned 100 total points
Comment Utility
My understanding is that all inside to outside traffic is explicitly permitted, the outgoing packet sets up a state table rule allowing the answering incoming packet, the state table is processed before the inbound ACL's, so to stop this behaviour you have to deny outbound traffic to servers you don't want and permit everything else
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 300 total points
Comment Utility
WAN (outside) access-rules only apply to packets originating on the outside coming in. Use these to allow things like email to your mail server, www requests to your www server, etc.

The default inside access rule is permit ip any any, you don't see it in the cli or config.
In ASDM, you can add rules to the inside interface to block internal users from getting out.


0
 
LVL 7

Author Comment

by:mcse2007
Comment Utility
WAN (outside) access-rules only apply to packets originating on the outside coming in. Use these to allow things like email to your mail server, www requests to your www server, etc.
 [mcse2007] if I permit only outbound traffic like internet access, then i don't need this rule. Yes?

The default inside access rule is permit ip any any, you don't see it in the cli or config.
[mcse2007]  this explains I cannot see the inside access rule in the running config.
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
> if I permit only outbound traffic like internet access, then i don't need this rule. Yes?
Correct.
By default, all traffic from higher security (inside) to lower security interface (outside) is allowed.
Once it goes out, a dynamic rule is created to allow the returning traffic to come in.
Only apply an acl to restrict specific traffic going out.

0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 7

Author Comment

by:mcse2007
Comment Utility
>Only apply an acl to restrict specific traffic going out.
I deleted my WAN (incoming) rules - see enclosed - then save the changes but now I cannot connect to the internet .

I thought that WAN (incoming) traffic rules are meant to be created to access your webmail, your website from outside. But, without my WAN (incoming) access rules, no internet traffic gets into my LAN.
WAN.JPG
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
What version ASDM/PIXOS?
Can you post the text config?
0
 
LVL 7

Author Comment

by:mcse2007
Comment Utility
I'm using Cisco ASDM 5.2(3), ASA version 7.2(3)
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Do you have any access-group commands in the config?
Can you post your config?
0
 
LVL 7

Author Comment

by:mcse2007
Comment Utility
I'll post the config as soon as I get into the office tomorrow. BTW, what are access-group commands forand their purpose (eg good or bad).
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now