Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5143
Views
0
Helpful
19
Replies

ASA command

Go to solution
Lake
Level 1
Level 1

‎11-22-2017 07:40 AM - edited ‎02-21-2020 06:49 AM

Hi Guys,

 

Can someone please explain to me exactly what this command mean:

 

access-list acl-outside extended permit tcp any4 any4

 

Thanks,

Lake

 

Labels:
0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni
In response to Lake

‎11-22-2017 10:09 AM

Is this a border firewall? We would probably need to see the NAT configuration to determine if there was a risk attached to the ACL.

 

As a rule of thumb, such a permissive ACL normally finds its way into production because of lazy configuration/ troubleshooting, and as such should not be present.

View solution in original post

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Lake

‎11-22-2017 01:26 PM

Hi,

 

I just checked the ACL configuration (very quickly) and I can tell you there is no need to have that ACL.

 

You would have that ACL only if you are troubleshooting the fw (only for a minute or so) and you want to check whether the FW is dropping a TCP connection or not but having it in production it's basically like having no firewall for TCP session (please allow any TCP session from anyone on the outside to any asset on the inside {Of course that asset needs to be advertised by NAT and you have a few of those}).

 

You can remove it as this is not safe @ all

 

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni
In response to Lake

‎11-23-2017 07:25 AM - edited ‎11-23-2017 07:26 AM

It is a AAA method to check if a successfully authenticated user can enter EXEC mode, and if so enter EXEC mode automatically upon login.

 

cheers,

Seb.

View solution in original post

0 Helpful
19 Replies 19

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni

‎11-22-2017 07:44 AM

Hi Lake,

It is permitting any TCP protocol from any IPv4 source address to any IPv4 destination address.

Give then the name 'acl-outside' we can assume this is applied to your OUTSIDE interface, and is very permissive!

 

cheers,

Seb.

0 Helpful

Go to solution
Lake
Level 1
Level 1
In response to Seb Rupik

‎11-22-2017 07:50 AM

Does that mean that any traffic from outside can go through the firewall to any device inside our network?

 

Thanks,

Lake

0 Helpful

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni
In response to Lake

‎11-22-2017 08:46 AM

That depends on the lines above it. If that is the first rule in the ACL, then yes, any IPv4 TCP traffic will be allowed through the interface.

 

Whats the output of:

sh access-list acl-outside

sh run | inc access-group

 

cheers,

Seb.

0 Helpful

Go to solution
Lake
Level 1
Level 1
In response to Seb Rupik

‎11-22-2017 08:52 AM

Here are the coutput of the commands:

 

sh access-list acl-outside
access-list acl-outside line 1 extended permit tcp any4 host 10.0.0.8 eq https (hitcnt=26848) 0x8805979e
access-list acl-outside line 2 extended permit udp any4 host 10.0.0.16 eq ntp (hitcnt=47) 0x6fae11cd
access-list acl-outside line 3 extended permit icmp any4 any4 echo-reply (hitcnt=0) 0xe16baeb0
access-list acl-outside line 4 extended permit icmp any4 any4 time-exceeded (hitcnt=379) 0x3c7fae32
access-list acl-outside line 5 extended permit icmp any4 any4 unreachable (hitcnt=17662) 0xe36cd89f
access-list acl-outside line 6 extended permit tcp any4 host 10.0.0.220 eq smtp (hitcnt=33439) 0xd96e39f4
access-list acl-outside line 7 extended permit tcp any4 host 10.11.11.6 eq www (hitcnt=4352) 0x59fb8383
access-list acl-outside line 8 extended permit tcp any4 host 10.11.11.6 eq https (hitcnt=411) 0x4d944572
access-list acl-outside line 9 extended permit tcp any4 host 10.11.11.5 eq ftp (hitcnt=22) 0xb3ff894f
access-list acl-outside line 10 extended permit udp any4 host 10.0.0.107 eq 1812 (hitcnt=0) 0x9f7f68d1
access-list acl-outside line 11 extended permit tcp any4 host 10.11.11.7 eq https (hitcnt=0) 0xcadb160a
access-list acl-outside line 12 extended permit tcp any4 host 10.11.11.7 eq www (hitcnt=0) 0xd0284c57
access-list acl-outside line 13 extended permit tcp any4 host 10.0.0.235 eq 8461 (hitcnt=0) 0x7872f3ad
access-list acl-outside line 14 extended permit tcp any4 host 10.0.0.186 eq https (hitcnt=527) 0x4bd18b04
access-list acl-outside line 15 extended permit tcp any host 10.0.0.220 eq smtp (hitcnt=0) 0xdbb575db
access-list acl-outside line 16 extended permit tcp any host 10.0.0.193 eq https (hitcnt=98) 0x3c452f2d
bwfw# sh run | inc access-group
access-group acl-outside in interface outside
access-group dmz-in in interface dmz

 

Thanks,
Lake

0 Helpful

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni
In response to Lake

‎11-22-2017 09:01 AM

The ACL line you had in your original post, does not appear in that output.

 

What is the output from:

 

sh run | inc acl-outside

 

cheers,

Seb.

0 Helpful

Go to solution
Lake
Level 1
Level 1
In response to Seb Rupik

‎11-22-2017 09:04 AM

Sorry. I forgot to mention that I removed it a couple days ago. Does that mean that that command allows all tcp traffic from any ip addresses from the internet to any devices on our network?

 

Thanks,

Lake

0 Helpful

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni
In response to Lake

‎11-22-2017 09:08 AM

Yes, it shadows every TCP rule in the ACL, essentially making their definition redundant.

 

cheers,

Seb.

0 Helpful

Go to solution
Lake
Level 1
Level 1
In response to Seb Rupik

‎11-22-2017 09:11 AM

Sorry. I am not quite sure what you mean. Does that mean that each rule is duplicated or was it opening all the ports from the internet coming in to our network?

 

Thanks,

Lake

0 Helpful

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni
In response to Lake

‎11-22-2017 09:30 AM

Both. A shadow rule is one that provides the same functionally as an existing rule by being more broad in scope.

In your case you have multiple TCP IPv4 rules which specify destination hosts and ports. The rule which you removed provided the same permissions by allowing TCP traffic to ANY host on ANY port.

 

cheers,

Seb.

0 Helpful

Go to solution
Lake
Level 1
Level 1
In response to Seb Rupik

‎11-22-2017 09:40 AM

I take that you mean that any computer on the internet can access any devices on our network that is specifically listed on the ACL on any ports but they cannot access any other devices which are not listed in the ACL?  Is that correct?

 

Thanks,

Lake

0 Helpful

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni
In response to Lake

‎11-22-2017 09:46 AM

For a machine on the internet to access a host on your network, a static NAT rule would need to be present.

These static NAT rules are typically accompanied by a restrictive ACL to limit which ports can be reached on the inside host.

If you are only using static PAT, then you will already be defining which destination port is reachable, so an "any4 any4"rule won't cause any harm.

 

If this is an internal firewall with no NAT, then TCP traffic would have been able to flow freely through it.

 

cheers,

Seb.

0 Helpful

Go to solution
Lake
Level 1
Level 1
In response to Seb Rupik

‎11-22-2017 09:58 AM

Sorry again but was this rule harmful to our network given all the information I provided?

 

Thanks,

Lake

0 Helpful

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni
In response to Lake

‎11-22-2017 10:09 AM

Is this a border firewall? We would probably need to see the NAT configuration to determine if there was a risk attached to the ACL.

 

As a rule of thumb, such a permissive ACL normally finds its way into production because of lazy configuration/ troubleshooting, and as such should not be present.

0 Helpful

Go to solution
Lake
Level 1
Level 1
In response to Seb Rupik

‎11-22-2017 10:35 AM

I have attached the NAT statements. I would be very shocked if this was a harmful ACL because we got Cisco to go over the configuration and we had a security company managing our firewall and they had access to it. Please advise.

 

Thanks,

Lake

Preview file
3 KB
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card