Implicit rules and access lists 1

[JMCraig]

Hi Folks,

I thought I knew my way around my old PIX 501s pretty well, but this ASA 5505 has some curves I (apparently) haven't figured out.

Looking at the GUI ASDM program, it shows an implicit ACL rule for my vlan2 (inside):

permit
service: ip
source: any
destination: any less secure network

The accompanying comment (which I assume is generated by the GUI since there's no access-list inside-access-in entries in the "show running" terminal-style output) says "Implicit rule: Permit all traffic to less secure networks" -- Huh? How does permitting traffic to less secure networks go with an incoming rule? If the traffic is going to a less secure network (e.g. the dmz or the outside), is that not outgoing?

Now, I know everyone who knows their way around these ASA 5505 boxes uses the terminal interface exclusively, but I'm just trying to get my head around the concepts of these implicit rules.

If I put any kind of incoming rule on, should I expect it to stop all outgoing traffic--unless I add an explicit rule to allow outgoing traffic to the dmz or outside vlans? Same with outgoing: if I put on a deny rule for traffic I don't want to get out, do I also have to add an explicit "let everything else out" rule?

Thanks!

John

John Craig
Alpha-G Consulting, LLC

http://www.alphagconsulting.com

 

[VinceWhirlwind]

I've configured a heap of those 5505s over the last little while and I must say I don't think I've ever looked at the Web-based GUI thing, although I hear it is very clear and easy to use.

The implicit rule you describe is no doubt the implicit rule that allows your VLANs with a higher security level to talk with VLANs on a lower one.
I guess it is "incoming" because the 5505 is all about virtual interfaces, not physical ones, so all traffic is "incoming" to a VLAN interface.

The config looks like this:
!
interface Vlan2
nameif outside
security-level 0
ip address 10.191.97.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!

 

[Supergrrover]

the implicit rule is applied inbound to the inside interface. it has nothing specific to do with vlans. if you apply a specific acl to an interface there is an implied deny any any at the end. be sure to explicitly allow any traffic you want or it will be blocked.
the acl is processes top down and the first match wins.

the asa will inspect all traffic and allow return traffic the matches the temporary inbound acls.

Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[JMCraig]

Thanks VinceWhirlwind and Supergrrover.

What's puzzling to me is that the implicit rule goes away as soon as you put in any kind of explicit rule (as per Supergrrover's explanation). That's very odd-seeming, but next time I'll know to put in the explicit allow any/any rule and then put the restrictions above that. Just BTW, in general, I'd say the ASDM GUI is pretty good. It sure makes it easy to see the ACL rules in top-down order, for sure.

Now, I still do not get how the "implicit rule is applied inbound" when the description talks about allowing traffic to (not from) lower-security interfaces--but that whole to/from thing isn't handled consistently anyway. Does the implicit any/any rule on the inside interface really allow incoming traffic without restriction from the outside interface? Maybe it does and all the restrictions typically go on the outside interface.... So does that implicit rule mean that unless you change the settings, anything that gets into the outside interface can get through to the inside interface?

At any rate, I think I have enough info to get on with the configuration without shooting myself in the foot quite so badly as I was doing a couple of days ago. Thanks again.

John

John Craig
Alpha-G Consulting, LLC

http://www.alphagconsulting.com

 

[Supergrrover]

traffic from the inside network going into the inside interface is what is being filtered with the inbound rule. it basically lets traffic into the device to be acted upon for vpn, policy, routing, etc.

traffic headed in the outside interface is filtered by the outside interface acl doing the same as above just different interface. it will all traffic to go to the inside or dmz from the outside by passing it through the device

Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[JMCraig]

Ah, incoming (into the ASA device) from the network ports assigned to the inside interface--nope, I never would have figured that out. Big help; thanks! (That's not how I would have described it if I were King of IP terminology; just another thing to all be grateful for.)

John Craig
Alpha-G Consulting, LLC

http://www.alphagconsulting.com

 

[VinceWhirlwind]

Supergrrover, this is a side issue from the direction of the acl, but I have to pick you up on
the implicit rule is applied inbound to the inside interface. it has nothing specific to do with vlans.

On a 5505 the "Inside" interface *is* a VLAN interface so it has *everything* to do with VLANs.
As you can have multiple ports configured to each VLAN it's less ambiguous to talk about "VLANs" because this makes it clear you are not talking about any physical interfaces which is exactly what a novice could get confused about on these boxes.

 

[Supergrrover]

Vince,

My issue was with this statement - "I guess it is "incoming" because the 5505 is all about virtual interfaces, not physical ones, so all traffic is "incoming" to a VLAN interface."

The idea of "inbound" and the implicit rule has nothing to do with a vlan versus a physical interface and everything to do with the security level and where the traffic originates. The ASA (contextually) sees VLANs and physical interfaces as the same from that standpoint. It is a security level segregation - higher allowed to lower. Saying that it is "VLAN based" is misleading. You assigned the VLAN to a physical interface so it is entering the device via that interface. The security level is then assigned by that VLAN or the physical interface level if there is no vlan tag.

You name the interfaces (VLAN/virtual or physical) so you can keep track of the traffic origin and how the ASA deals with it.

When you work with bigger hardware like the 5550, 5540, etc. the physical interface can be assigned multiple vlans all with different security levels and the physical interface can be assigned it's own different security level or no vlans at all. That security based rules are still there in all cases.

The world is bigger than a 5505, why limit someone's understanding of what's really going on internally.



Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[VinceWhirlwind]

If they need to understand 5505s, there's no point telling them about stuff that's specific to non-5505 ASAs....

Let's just be clear on the difference because there seems to be some confusion:
5505 - inbuilt Layer2 switch, no subinterfaces, 802.1q configured with "switchport mode trunk" (Premium licence only), IP configured exclusively on virtual interfaces.

So no more telling people with 5505s to configure subinterfaces...

 

[Supergrrover]

Vince,
Trust me, the confusion is on your part.

1. There is no "Premium licence" - I think you mean a "Security Plus License"

2. I never told anyone to config a "sub interface." I explained what was happening using only "interface" and you (erroneously) jumped all over it.

3. I never mentioned a physical interface until I had to correct you. I spoke of interfaces in general. As does Cisco with their own documentation regarding a 5505. -

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/int5505.html#wp1054877

4. If you have configed a 5505 then you will be familiar with these commands -
interface Vlan1
nameif inside *** Short for "Name Interface"
security-level 100
access-list 101 extended permit tcp any interface outside eq www *** pretty clear reference here
static (inside,outside) tcp interface

http://www 172.27.2.1

http://www netmask

255.255.255.255 *** Check any config guide and this will reference interfaces -

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s8_72.html#wp1202525

access-group 101 in interface outside *** again pretty clear reference here

Again I restate my issue of your lack of understanding
"I guess it is "incoming" because the 5505 is all about virtual interfaces, not physical ones, so all traffic is "incoming" to a VLAN interface."

It has nothing to do with VLANS "only" nor that it must be inbound to a VLAN because you can go outbound as well. -

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/a1_72.html#wp1440089

The ASA deals with interfaces. Physical or VLAN is irrelevant - 5505 or not. So lets stop the thread jacking and get JMCraig up and running and give him a deeper understanding so maybe he can help people here some day.


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[JMCraig]

OK. Questions of vlan vs. interface terminology aside, it turns out (given the clearer understanding of what "incoming" means--into the ASA 5505 from a device connected to the inside interface), I don't need to do anything with the implied rules. But, again, just to get the concepts straight in my head, I attempted to replace the implied rule with one like this:

incoming rules:
source:
any
destination:
outside
service:
ip
action:
permit

Well, that effectively cut off access from all the devices connected to the ASA 5505's inside interface to the Internet. With that rule in place, the ASA blocks (via the default inside interface incoming deny/any/any rule) pings to the ISPs DNS servers; web servers on the Internet; and anything else you care to name. It does not seem that my explicit rule is getting attended to at all.

Now, leaving aside the dmz interface for the time being, and just thinking about inside & outside interfaces, how is the above rule any different from the implied one, that shows up this way:

incoming rules:
source:
any
destination:
Any less secure network
service:
ip
action:
permit

Obviously, the outside interface (security level 0) is less than the inside interface (level 100), but why does the explicit rule not do what the implied rule does?

The only difference I can see is that in the explicit rule, I've named a specific interface; in the implied rule, it does use the term "network" rather than interface. Am I misusing the outside interface as the destination? Should it be something else--an actual subnet, for instance? (Which obviously would not be practical when you want to get to any public IP you happen to be interested in, at the moment.)




John Craig
Alpha-G Consulting, LLC

http://www.alphagconsulting.com

 

[Supergrrover]

Outside in that case means the outside interface IP. You should be thinking networks

Interface = Inside
Direction = incoming
Action = Permit
Source =
Type = IP Address
IP Address = click the [...] button and select "inside-network"
destination =
Type = IP Address
IP Address = Any
Protocol or Service = ip

This will allow traffic from the inside network out to the internet at large (destination is any ip address, the default route will tell it to send it out to the default gateway for networks that are not known to the ASA)

Kill that example and now do this line -

Interface = Inside
Direction = incoming
Action = Deny
Source =
Type = IP Address
IP Address = click the [...] button and select "inside-network"
destination =
Type = IP Address
IP Address = Any
Protocol or Service = tcp
Source port = any
Destination port = http/www

and then add the one from above right after it.

You will block all http/

http://www traffic

out to the internet but allow everything else. You can do this for Groups as an option (set up allowed services outbound) and allow only specific access to the internet or to a specific group of servers. A good practice; once you get it all thought out. I only allow needed services and block everything else. I only permit smtp to specific servers, etc. to keep spamming to a zero. There is all sorts of power here.

Get a good handle on ACLs and then you can start VPNs and inspection policies.

I strongly recommend the CLI - It's more powerful and once you get good at it you can charge $$$.



Brent
Systems Engineer / Consultant
CCNP, CCSP