Solved: Re: ASA command - Page 2

Lake · ‎11-22-2017

Hi Guys,

Can someone please explain to me exactly what this command mean:

access-list acl-outside extended permit tcp any4 any4

Thanks,

Lake

Julio Carvajal · ‎11-22-2017

Hi,

I just checked the ACL configuration (very quickly) and I can tell you there is no need to have that ACL.

You would have that ACL only if you are troubleshooting the fw (only for a minute or so) and you want to check whether the FW is dropping a TCP connection or not but having it in production it's basically like having no firewall for TCP session (please allow any TCP session from anyone on the outside to any asset on the inside {Of course that asset needs to be advertised by NAT and you have a few of those}).

You can remove it as this is not safe @ all

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Lake · ‎11-23-2017

Thanks a lot to everyone who helped answer my questions. I do have one more question. what does this command do: aaa authorization exec authentication-server auto-enable?

Thanks,

Lake

Seb Rupik · ‎11-23-2017

It is a AAA method to check if a successfully authenticated user can enter EXEC mode, and if so enter EXEC mode automatically upon login.

cheers,

Seb.

Lake · ‎11-23-2017

Thank you very much.

Seb Rupik · ‎11-23-2017

Hi there,

We need to see the host addresses of the those network objects to determine if there is a specific ACE in acl-outside covering them. If there isn't then we can assume that NAT'd traffic to those hosts was permitted by the 'any4 any4' rule, and is no no longer functioning correctly.

cheers,

Seb.