I'm trying to understand the inbound & outbound of the interface
If i want to create a ACL for a server (10.10.10.10) in the "DMZ" to access one of the webserver (184.108.40.206) in the "Inside" interface
After reading so much from the internet, I'm confuse with the inbound and outbound of each interface.
Looks like i can do with either of the following four options for the above mentioned access
1) access-list DMZ_Inbound permit tcp host 10.10.10.10 host 220.127.116.11 eq www (acess-group DMZ_Inbound in interface DMZ)
2) access-list DMZ_Outbound permit tcp host 10.10.10.10 host 18.104.22.168 eq www (acess-group DMZ_Outbound out interface DMZ)
3) access-list Inside_Inbound permit tcp host 22.214.171.124 host 10.10.10.10 eq www (acess-group Inside_Inbound in interface Inside)
4) access-list Inside_Outbound permit tcp host 126.96.36.199 host 10.10.10.10 eq www (acess-group Inside_Outbound out interface Inside)
Appreciate all of your adivce
Visualize yourself sitting on the router/firewall. As a packet come IN to you from a device on an attached interface, that would trigger the INBOUND ACL.
As you are going to route/move a packet OUT an interface towards something else, that would be an OUTBOUND interface.
As you have traffic going from your inside to dmz interface and back again, you'll notice that the same packet could be affected in two places for each direction.
An INBOUND acl on the inside interface can filter the same as an OUTBOUND acl on the dmz interface. For the return traffic, an INBOUND acl on the dmz interface can filter the same as an OUTBOUND acl on the inside interface.
You'll just need to pay further attention to what your source vs. destination addresses and ports will be depending on what you put where.
Be the router!
I love it, and agree with it.
"Be the router, (pause) Ohhhhmmmmmmmmmmmmm"
Great analogy. I visualize this as a 40 foot giant round hockey puck router icon with multiple interfaces with Cat6 cables attached going out in all directions, and I am sitting on the very center of this giant hockey puck. When a packet is heading towards me, (like a fireball of light, riding the wire), from some remote destination coming toward me, it is inbound.
When sending a fireball (packet) out of an interface towards some remote destination, and I can see it moving away from me over the wire, that would be outbound.
Then I picture an ACL, applied as a filter to the interface, as a bouncer/bodyguard standing next to that specific interface, that checks the list to see if the packet is permitted (inbound if the ACL is applied inbound, or outbound if the ACL is applied outbound). Remember that the ACLs applied to interfaces applied outbound only affect transit traffic through the router, and not traffic that the router is sourcing on its own (like a routing update or a outbound telnet session that begins at the router).
Be the router.
You watched Tron recently, didn't you?
Hi Scott & Keith,
Understand yor points BUT there's what im confuse.
Example: A PC from LAN "Inside Interface" going out to a external webserver. We dont need a ACL beacause its from a higher security interface. When i want to create a ACL for the return traffic. I should create a ACL on the "outside" interface on the inbound direction right ? The reason is because the traffic is coming back from external which will come to the outside "inbound" first then travel to the outside "outbound" interface.
I checked the internet. Many were saying that for return traffic, when should create at the "outside" outbound interface ? why not the inbound of the outside interface since this is where it first come in from.
Secondly, im looking at my old firewall which is configured by previously guy. He created the ACL for the return traffic on the inside "inbound" direction. Why ?
with the following access-group:
1) access-group UNTRUST_IN in interface outside
2) access-group TRUST_OUT in interface inside
3) access-group DMZ_IN in interface DMZ
Appreicate both of your kind expert advice
Since you are talking about the ASA, you never need to create an ACL for return traffic. Well I shouldn't say never, but that is the general rule. The ASA appliance uses an algorithm called the Adaptive Stateful Algorithm (ASA for short) that looks at traffic in one direction, creates a session and allows the return traffic. When creating acl's, the only entries you need are for the initiating direction. Traffic from a higher to a lower security interface does not need an acl. However, if you attach an acl, it does still have an implicit deny at the end. So just keep that in mind.
A few questions then,
1) PIX does not use this algorithm as ASA ?
2) Does this Algorithm in ASA apply to return traffic from DMZ back to inside too.
3) Currently, there's a ACL script on my inside inbound interface to allow one of the "inside" backup server (veritas backup) to a DMZ server.
Even if we need to create a traffic for my DMZ server to be able to backup by the backup server which is on the "inside" then the ACL script should be wrote on the DMZ inbound interface since it came from the inbound of the DMZ interface. Am i right ?
But looking at all these. it kinda makes me think that i can do with either of the following four options for the above mentioned access
a) inside inbound
b) inside outbound
c) dmz inbound
d) dmz outbound
The reason is because the traffic from the DMZ server will first travel from DMZ inbound direction then to DMZ outbound before it reach to inside outbound then to inside inbound.
Its just a matter of what is the right ways. If i apply to either of the options for this example. it will still work for me.
This is what im thinking and that makes me confuse.
Appreciate your advice
1. PIX and ASA both use the stateful inspection (Adaptive Security Algorithm, as they used to call it), and allows the return traffic back through the firewall, regardless of any ACL that my be applied that would otherwise stop the return packets.
2. The stateful inspection applies to all return traffic, between any 2 interfaces. If the initial packet was allowed through, the return packet is allowed back, regardless of ACLs that may be blocking the return packets.
3. If the inside interface is security level 100, and the dmz interface is security level 99 or less, the initial packets from the backup server will be allowed as long as there is NOT an ACL preventing the initial packet applied inbound on the inside, or outbound on the dmz interface. If the initial packet makes it through, it doesn't matter what ACLs may be trying to stop the return packets, as the stateful inspection will allow return packets regardless of the ACLs.
Other factors along the way could disrupt packet flow, such as incorrect NAT configuration, same security levels, etc. The above discussion is regarding the ACL related elements of the ASA.
Appreciate your advice
So what's the best practise ? Can i create two different access group for an individual interface example outbound and inbound on inside interface? or i should just create a access group for each interface ?
There's alot of different say about this. Is there any best practise ? rule that i should following regards to the access-group and access-list rule ?
Best practice is to put on paper, what services we want to allow, and from where. Once we define the policy of what we want to happen, then we can begin with the defaults of the ASA, and implement additional rules to enforce it. When possible, denying initial packets inbound on an interface is better than outbound on the exit interface. Also remember that any traffic that goes through the ASA, if it is inspected, will also mean that the return packets will be allowed, in spite of ACLs that try to stop them.
Hi Keith Barker,
Thanks for the advice.
Currently i'm trying to configure the ASA firewall, I have configure the interfaces ip address, security-level and name-if. Can i just copy and paste the access-list, static routing and the static mapping of IP from the old PIX to the new ASA ? I tried and it seems that the ASA accepted all the script but i was told that i shouldn't do this as noth PIX and ASA are different.
I have did some reading, i see no problem of doing it and the only thing that i experience the different is the script for VPN.
Appreciate your advice again
The PIX can run software versions up to and including the 8.0 flavors.
The syntax for 7.0 through 8.2 is virtually the same. 8.3 and higher commands start to change.
Adjusting for interface numbers and types, most of the commands from 7.x of PIX or ASA should work on version 8.0x of the PIX or ASA and are interchangeable.
From what you have said:
"If i want to create a ACL for a server (10.10.10.10) in the "DMZ" to access one of the webserver (188.8.131.52) in the "Inside" interface"
Therefore, the server from the DMZ interface will be the one to initiate. You may use:
access-list DMZ_Inbound permit tcp host 10.10.10.10 host 184.108.40.206 eq www (acess-group DMZ_Inbound in interface DMZ)
access-list Inside_Outbound permit tcp host 220.127.116.11 eq www host 10.10.10.10(acess-group Inside_Outbound out interface Inside)
access-list <name> permit <tcp/udp> <source> eq <source port> <destination> eq <destination port>.
So if you expand your ACL, it will be:
access-list DMZ_Inbound permit tcp host 10.10.10.10 eq any host 18.104.22.168 eq www