?
Solved

access rules in Security Policy through ASDM

Posted on 2008-10-18
9
Medium Priority
?
885 Views
Last Modified: 2013-11-16
Hi Experts,

I've have a bunch of incoming rules (WAN) which I have changed to Action DENY and still able to access the internet. Shouldn't  I be denied accessing the internet by ASA if I put my incoming rules (WAN) deny status?

The question then is, what do you use the 'access rules' under Security Policy in Cisco ASDM for ?
Now it got to a point Am i better of using CLI to create my access rules rather than spending time ASDM creating accessing rules which doesn't seems to work.
0
Comment
Question by:mcse2007
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
9 Comments
 
LVL 5

Assisted Solution

by:rexxus
rexxus earned 300 total points
ID: 22748256
My understanding is that all inside to outside traffic is explicitly permitted, the outgoing packet sets up a state table rule allowing the answering incoming packet, the state table is processed before the inbound ACL's, so to stop this behaviour you have to deny outbound traffic to servers you don't want and permit everything else
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 900 total points
ID: 22750069
WAN (outside) access-rules only apply to packets originating on the outside coming in. Use these to allow things like email to your mail server, www requests to your www server, etc.

The default inside access rule is permit ip any any, you don't see it in the cli or config.
In ASDM, you can add rules to the inside interface to block internal users from getting out.


0
 
LVL 7

Author Comment

by:mcse2007
ID: 22750804
WAN (outside) access-rules only apply to packets originating on the outside coming in. Use these to allow things like email to your mail server, www requests to your www server, etc.
 [mcse2007] if I permit only outbound traffic like internet access, then i don't need this rule. Yes?

The default inside access rule is permit ip any any, you don't see it in the cli or config.
[mcse2007]  this explains I cannot see the inside access rule in the running config.
0
Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

 
LVL 79

Expert Comment

by:lrmoore
ID: 22752030
> if I permit only outbound traffic like internet access, then i don't need this rule. Yes?
Correct.
By default, all traffic from higher security (inside) to lower security interface (outside) is allowed.
Once it goes out, a dynamic rule is created to allow the returning traffic to come in.
Only apply an acl to restrict specific traffic going out.

0
 
LVL 7

Author Comment

by:mcse2007
ID: 22754670
>Only apply an acl to restrict specific traffic going out.
I deleted my WAN (incoming) rules - see enclosed - then save the changes but now I cannot connect to the internet .

I thought that WAN (incoming) traffic rules are meant to be created to access your webmail, your website from outside. But, without my WAN (incoming) access rules, no internet traffic gets into my LAN.
WAN.JPG
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22754691
What version ASDM/PIXOS?
Can you post the text config?
0
 
LVL 7

Author Comment

by:mcse2007
ID: 22754707
I'm using Cisco ASDM 5.2(3), ASA version 7.2(3)
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22756858
Do you have any access-group commands in the config?
Can you post your config?
0
 
LVL 7

Author Comment

by:mcse2007
ID: 22757492
I'll post the config as soon as I get into the office tomorrow. BTW, what are access-group commands forand their purpose (eg good or bad).
0

Featured Post

ATEN's HDBaseT Presentation at InfoComm 2017

Hear ATEN Product Manager YT Liang review HDBaseT technology, highlighting ATEN’s latest solutions as they relate to real-world applications during her presentation at the HDBaseT booth at InfoComm 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses
Course of the Month13 days, 21 hours left to enroll

800 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question