Cisco ASA Security – Why the Implicit Rule Prevents Traffic from Passing

aclciscocisco-asapacket-tracerSecurity

I an testing traffic forwarding between different DMZ with different security levels.

DMZ:

interface GigabitEthernet0/1.351
 vlan 351
 nameif dmz
 security-level 10
 ip address 10.100.20.1 255.255.255.0

DMZ810:

interface GigabitEthernet1/2.810
 vlan 810
 nameif dmz810
 security-level 50
 ip address 172.29.12.33 255.255.255.248

Testing with packet-tracer:

asa-5550-edge# packet-tracer input dmz810 tcp 172.29.12.34 587 10.100.20.50 587 detail

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   10.100.20.0     255.255.255.0   dmz

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x2bf97148, priority=11, domain=permit, deny=true
        hits=79960, user_data=0x5, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=dmz810, output_ifc=any

Result:
input-interface: dmz810
input-status: up
input-line-status: up
output-interface: dmz
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

But the interface dmz810 has a level higher than the interface dmz. Rule in ACL for dmz810 did not help.

What is the reason?

Best Answer

I have seen this countless times when one configures explicit ACL's on interfaces.

By default, if there exist exactly zero access control lists, the ASA will freely PERMIT all traffic from higher security levels to lower levels. However, as soon as you add any explicit rules that apply to an interface, an implicit DENY rule is added at the end of the ACL. Furthermore, this implicit rule is NOT shown when performing a show access-list command. ASDM will show the implicit rule but the CLI, by default, does not.

While a great concept, in theory, to simply use security levels and avoid the additional complexity of using ACL's on the filtering engine, in reality most everyone needs to have more granular control of the traffic.

In your instance, examine if you actually need any ACL's for filtering traffic or if you can simply utilize the security levels to make the traffic filering decisions for you. If you don't need explicit ACL's, delete them. The traffic should then flow from higher to lower security level interfacesª. If you need your ACL, add a rule permitting traffic from 172.29.12.32/29 to 10.100.20.0/24 and vice versa. Below is an example of how to do so.

;; Creates a global ACL permitting traffic from the dmz subnet to the dmz810 subnet     
access-list DMZ810-ALLOW extended permit ip 172.29.12.32 255.255.255.248 10.100.20.0 255.255.255.0 log

— or —

;; More flexible as this creates a rule permitting traffic from whatever address
;; is assigned to the interfaces without further modification of the ACL (such
;; as if the address assigned to the dmz interface changes)

access-list DMZ810-ALLOW extended permit ip 172.29.12.32 255.255.255.248 interface dmz

;; If you are certain you wish all traffic from dmz810 to dmz to pass, it's probably
;; better to change security levels to be the same.  If that is not desired, you
;; can still permit traffic from whatever subnet is assigned to either of the interfaces
;; by using the interface keyword on both parts of the access list.

access-list ALLOW_DMZ810-to-DMZ extended permit ip interface dmz810 interface dmz

;; keep in mind that if you make these the same security level, or are utilizing zones,
;; you should probably read additional commands below to ensure this works.

Please review the following commands and comments to ensure you get the expected behavior. The first pertains to same-security-levels and the second to traffic amongst zones:

  • same-security-traffic permit inter-interface
    • "PERMIT communication between different interfaces and zones with the same security level" b
  • same-security-traffic permit intra-interface
    • "PERMIT communication between peers connected to the same interface and different interfaces in the same zone" b

Please note: if you do not enable one, or both, of these settings, the default action will be to DENY all traffic inter- or intra-interface, amongst all interfaces of the same security level.

Many people I have helped out with an ASA are under the mis-impression that traffic is, by default, PERMITTED within the same security level.

Of course, you'd have to change the security level of dmz810, which defeats the purpose of your question.

Hope this helps.

b Wording directly from inline help on the CLI of an ASA5585-x v9.1, emphasis added.

Related Topic