Home > Networking > Cisco ASA Implicit Rule “Permit all traffic to less secure networks” ACL

Cisco ASA Implicit Rule “Permit all traffic to less secure networks” ACL

October 27th, 2015 Leave a comment Go to comments

When adding a new network interface to a Cisco ASA, you must specify it's security level. Based on this security level, the default Cisco ASA ACL allows you to access "less secure" networks (with a lower security level), and denies access to "more secure" networks (with a higher security level). The default rule works well, until you need to allow this security zone access to a "more secure" security zone. For example, a DMZ could have a security level of say 25, allowing access to an outside interface with a security level of 0, but it would be implicitly denied access to an inside interface with a security level of 100. When we need to add an ACL to permit certain access to the inside interface, the implicit "Permit all traffic to less secure networks" rule is automatically removed by the Cisco ASA. We can manually add a form of this ACL back in to retain security between zones.

To do this, create an object-group for all internal networks. These are usually in the RFC1918 range:

object-group network RFC1918
network-object 10.0.0.0 255.0.0.0
network-object 172.16.0.0 255.240.0.0
network-object 192.168.0.0 255.255.0.0


Now, on your interface, define your access-list:

access-list DMZ-ACCESS-IN permit tcp object DMZ-HOST object SOME-INSIDE-HOST eq 443
access-list DMZ-ACCESS-IN deny ip any object-group RFC1918
access-list DMZ-ACCESS-IN permit tcp object DMZ-HOST any eq 80

Essentially I use two logical sections for this access-list. All rules above the deny line apply to traffic on the internal network. For all rules listed after the deny rule I intentionally specify the destination as being "any", which in this case must be internet traffic as all traffic to my internal networks would have been filtered out by the deny rule. If I later add another interface to my Cisco ASA, the configuration for this DMZ interface would remain the same, so long as the new interface is using an IP address from my RFC1918 group.

Categories: Networking Tags: , , , ,
  1. No comments yet.

*

code