• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 899
  • Last Modified:

access rules in Security Policy through ASDM

Hi Experts,

I've have a bunch of incoming rules (WAN) which I have changed to Action DENY and still able to access the internet. Shouldn't  I be denied accessing the internet by ASA if I put my incoming rules (WAN) deny status?

The question then is, what do you use the 'access rules' under Security Policy in Cisco ASDM for ?
Now it got to a point Am i better of using CLI to create my access rules rather than spending time ASDM creating accessing rules which doesn't seems to work.
0
mcse2007
Asked:
mcse2007
  • 4
  • 4
2 Solutions
 
rexxusCommented:
My understanding is that all inside to outside traffic is explicitly permitted, the outgoing packet sets up a state table rule allowing the answering incoming packet, the state table is processed before the inbound ACL's, so to stop this behaviour you have to deny outbound traffic to servers you don't want and permit everything else
0
 
lrmooreCommented:
WAN (outside) access-rules only apply to packets originating on the outside coming in. Use these to allow things like email to your mail server, www requests to your www server, etc.

The default inside access rule is permit ip any any, you don't see it in the cli or config.
In ASDM, you can add rules to the inside interface to block internal users from getting out.


0
 
mcse2007Author Commented:
WAN (outside) access-rules only apply to packets originating on the outside coming in. Use these to allow things like email to your mail server, www requests to your www server, etc.
 [mcse2007] if I permit only outbound traffic like internet access, then i don't need this rule. Yes?

The default inside access rule is permit ip any any, you don't see it in the cli or config.
[mcse2007]  this explains I cannot see the inside access rule in the running config.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
lrmooreCommented:
> if I permit only outbound traffic like internet access, then i don't need this rule. Yes?
Correct.
By default, all traffic from higher security (inside) to lower security interface (outside) is allowed.
Once it goes out, a dynamic rule is created to allow the returning traffic to come in.
Only apply an acl to restrict specific traffic going out.

0
 
mcse2007Author Commented:
>Only apply an acl to restrict specific traffic going out.
I deleted my WAN (incoming) rules - see enclosed - then save the changes but now I cannot connect to the internet .

I thought that WAN (incoming) traffic rules are meant to be created to access your webmail, your website from outside. But, without my WAN (incoming) access rules, no internet traffic gets into my LAN.
WAN.JPG
0
 
lrmooreCommented:
What version ASDM/PIXOS?
Can you post the text config?
0
 
mcse2007Author Commented:
I'm using Cisco ASDM 5.2(3), ASA version 7.2(3)
0
 
lrmooreCommented:
Do you have any access-group commands in the config?
Can you post your config?
0
 
mcse2007Author Commented:
I'll post the config as soon as I get into the office tomorrow. BTW, what are access-group commands forand their purpose (eg good or bad).
0

Featured Post

Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

  • 4
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now