The musings of an IT Consultant

Apr 29 2009   3:07PM GMT

Rules not working in Cisco ASA as you thought they should



Posted by: Raj Perumal
Tags:
Adaptive Security Appliance
ASDM
Cisco ASA
common Cisco ASA issues
implicit rules
inside access out
inside interface outgoing
outside access out
outside interface outgoing

Hi folks, as you know I’ve been doing a lot of work with the Cisco ASA firewall products lately and I wanted to address an issue I’ve seen a few administrators run into when setting up a new ASA.

Often when you setup an ASA you are not just setting up inside out external access but you might also want to set some incoming rules for some of your servers such as web servers or mail servers. The problem I see administrators run into is that after they setup these rules they still can’t get access to the servers from the outside world.

If you take a look at the rules closely, at first look it seems like everything was configured ok and everything should be working. What I’ve found in these situations is that someone specified an inside interface outgoing rule, or an outside interface outgoing rule. By doing that you’re implicity allowing that one rule and automatically denying all else. In order to fix this, create a specific rule for the device to allow it out or just remove all the outgoing rules altogether and then the Cisco ASA will allow it by default. Which way you chose will depend on how you want to secure your network of course. Hope this helps!

-Cheers, RP

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: