Announcement

Collapse
No announcement yet.

Cisco ASA - How to add rule without removing implicit rule?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Cisco ASA - How to add rule without removing implicit rule?

    I have a Cisco ASA, protecting my internet connection.
    On my LAN interface, I only have the 2 implicit rules :
    1. any -> any less secure network : allow
    2. any -> any : deny

    So everyone can go to the internet.

    Now I'm asked to prevent a user from accessing internet. I wanted to add the following incoming rule on the LAN interface :
    UserIP -> any : deny.

    But when I do that, the implicit rule 1. disappears and therefore nobody has access to the internet anymore.
    Is there a way to add the restriction above without removing the implicit rule?
    Or what is the recommended way to restrict that user without affecting the rest of the network?

    Thanks in advance.

  • #2
    Re: Cisco ASA - How to add rule without removing implicit rule?

    The default outbound rule is basically, as you wrote, allow IP any "source inside" any "destination outside" with the responses being automatically allowed.

    When you add a rule then naturally you would expect the firewall to block everything else so what you are actually seeing is the default deny any any sitting at the bottom of the list.

    Your
    allow any any

    becomes (in your situation)

    deny source IP dest any
    deny any any.


    Therefore you could probably use something like:
    access-list inbound_on_inside deny ip host 10.0.0.2 any
    access-list inbound_on_inside allow ip any any


    although generally I would say it is better to setup something more restrictive along the lines of allowing just dest www and dest dns out (especially blocking things like SMTP out).
    cheers
    Andy

    Please read this before you post:


    Quis custodiet ipsos custodes?

    Comment


    • #3
      Re: Cisco ASA - How to add rule without removing implicit rule?

      moved to Cisco security.
      Marcel
      Technical Consultant
      Netherlands
      http://www.phetios.com
      http://blog.nessus.nl

      MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
      "No matter how secure, there is always the human factor."

      "Enjoy life today, tomorrow may never come."
      "If you're going through hell, keep going. ~Winston Churchill"

      Comment


      • #4
        Re: Cisco ASA - How to add rule without removing implicit rule?

        Originally posted by AndyJG247 View Post

        Therefore you could probably use something like:
        access-list inbound_on_inside deny ip host 10.0.0.2 any
        access-list inbound_on_inside allow ip any any

        although generally I would say it is better to setup something more restrictive along the lines of allowing just dest www and dest dns out (especially blocking things like SMTP out).
        Thanks for your answer. Unfortunaly, I can't be more restrictive than that at this point.

        Can you confirm that, since it's an inbound rule on the inside interface (which is set as the most secured network), adding
        access-list inbound_on_inside allow ip any any
        will be exactly the same has the original implicit rule 'any -> any less secured network'?

        Comment


        • #5
          Re: Cisco ASA - How to add rule without removing implicit rule?

          Fair enough, that is your choice.
          I would still recommend at least putting the SMTP block in though.

          Yes, that is the case. Access-Lists are source then destination so it basically says allow any source IP to any destination IP. You add it after the deny single IP destination any IP which puts it before the deny any any that closes the list.
          cheers
          Andy

          Please read this before you post:


          Quis custodiet ipsos custodes?

          Comment

          Working...
          X