We help IT Professionals succeed at work.

Access list on ASA

jbell72
jbell72 used Ask the Experts™
on
Can someone explain what thes elines mean please?

access-list outside_in extended permit icmp any any
access-list outside_in extended permit icmp any any echo-reply
access-list outside_in extended deny ip any any log
access-list outside_in extended permit tcp host 10.1.1.10 host 10.1.1.14 eq ftp
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Assistant Vice President\Network Manager
Commented:
I can take a stab but am a bit rusty  :(

access-list outside_in extended permit icmp any any

Permit any icmp trafic (like ping) either direction in or out of the network

access-list outside_in extended permit icmp any any echo-reply

Permit any response to icmp traffic (like ping) either direction in or out of the network

access-list outside_in extended deny ip any any log

Deny any ip traffic either direction in or out of network and create a log entry

access-list outside_in extended permit tcp host 10.1.1.10 host 10.1.1.14 eq ftp

permit 10.1.1.14 to reach 10.1.1.10 using ftp protocol


Anyone see where I am wrong please speak up.   :)
access-list outside_in extended permit icmp any any
This permits ping or icmp traffic from source of any to destination of any

access-list outside_in extended permit icmp any any echo-reply
Same for this its related to ping

access-list outside_in extended deny ip any any log
This denies any ip source to any ip destination and logs anything that meets that criteria

access-list outside_in extended permit tcp host 10.1.1.10 host 10.1.1.14 eq ftp
This allows FTP traffic from 10.1.1.10 to 10.1.1.14
no other FTP traffic will be allowed if there is not another access-list allowing it.


Remember at the bottom of any access-list in Cisco there is a DENY ALL  line that is automatically added. That means anything traffic that is not allow specifically will be denied.

Note the outside_in is the name of the access list itself.
Ernie BeekSenior infrastructure engineer
Top Expert 2012
Commented:
SPEAK!

No just kidding, you're quite right. Just some addition.

The syntax of the access list is (simplified):

access-list name extended permit (or) deny protocol source destination

You can further refine it by adding ports to the source or destination using eq

Access lists are processed top-down until there is a match. Then the rest if the list is ignored. So in this case this means that everything after a deny any any is ignored. The line access-list outside_in extended permit tcp host 10.1.1.10 host 10.1.1.14 eq ftp will not work.
Steven CarnahanAssistant Vice President\Network Manager

Commented:
@schmitty007

Thank you, I was afraid I might have that last one backwards.  Cisco used to do it in reverse a long time ago so that the destination first and the source was second. Not sure when they swtiched it but it still causes me headaches occasionally.  :)
Ernie BeekSenior infrastructure engineer
Top Expert 2012

Commented:
Hm,  schmitty007 was tyrping faster ;)
Steven CarnahanAssistant Vice President\Network Manager

Commented:
@erniebeek

However you also had a good point that both schmitty007 and I both missed about the last line. I think on my part it was because I was just explaining what each line meant not thinking about the order.

I am also wondering why that line is even there since both addresses are in the same network so they probably wouldn't "cross" the ASA anyway.
@erniebeek

Absolutely I too didn't go as far as to explain that as well. Was just trying to give the OP a little more insight. I figured he C&P'ed these few lines out of a much larger ACL.

It also almost reminded of a lot of Cisco examples of really drilled down ACLs that most live enviroments I have been in do not use. Like actually limiting port level access to an FTP server on the internal network when normally they secure this with credentials.
Ernie BeekSenior infrastructure engineer
Top Expert 2012

Commented:
Well you can't be sure. What if the 10.1.1.10 is used in a range assigned to VPN clients and 10.1.1.14 is an internal host.
Steven CarnahanAssistant Vice President\Network Manager

Commented:
another good point.  I guess I hadn't thought of it that way.  We use a completely separate network for our VPN clients. For example 10.1.0.x through 10.10.0.x for 10 locations and 10.200.50.x for VPN.
Ernie BeekSenior infrastructure engineer
Top Expert 2012

Commented:
Yeah, that's a neater way. Though often people do use a subset of their internal range (which can cause lots of interesting issues :)

Author

Commented:
They are 2 separate /30 networks. Just fyi and thank you.
Ernie BeekSenior infrastructure engineer
Top Expert 2012

Commented:
/30? Ah that explains it :)

So do you require additional info? If so, don't hesitate to ask. We'll do our best to answer.