Cisco ASA – ‘access-group’ Warning

KB ID 0001035

Problem

I’ve been writing Cisco ASA walkthroughs for years, and littered all over PeteNetLive you will see me warning readers every time I use access-group commands. So I’ve finally got round to putting this article up so I can reference it in future.

What is an Access-Group command?

You use an access-group command to apply an access-list to an interface, in a particular direction (in or out). Although I always apply access-groups in an interface to avoid confusion.

Example

[box]

Create an access list first

access-list outbound permit tcp host 192.168.1.1 any eq www

Then nothing will happen unless you apply that ACL to an interface with an 
access-group command.

access-group outbound in interface inside

[/box]

Solution

So Why The Access-Group Warning?

Reason 1

When I post articles and direct you to allow traffic though a firewall, I make the assumption that you do not have any ACL’s already applied with access-group commands. if you did, and followed my tutorials blindly then you would overwrite your access-groups, and any existing ACLs would stop working! (The ACL would still be there, you would need to reapply them though).

Reason 2

By default traffic will flow though the ASA from interfaces that have a higher (more secure) security level, to interfaces with a lower security level. Thats why you can get out though a new firewall without adding any rules. However every ACL has an implicit deny on the end of it. So if you have a mail server and allow out SMTP for example, as soon as you apply the ACL with your access-group command you STOP ALL OTHER OUTBOUND COMMUNICATION until that is allowed also.

So How Can You Make Sure I’m Not About to Break Anything?

Easy, your firewall will tell you if you have any access-groups already in use, with a ‘show run access-group‘ command. Below you can see theres three and what interface they are applied to.

[box]

User Access Verification

Password: ******** Type help or ‘?’ for a list of available commands. PetesASA> enable Password: ******** PetesASA# show run access-group access-group inside-in in interface outside access-group outside-in in interface inside access-group DMZ-in in interface DMZ PetesASA#

[/box]

I’ve deliberately shown a naming convention I don’t usually use, I typically have an ACL called outbound for outgoing traffic, and inbound for incoming traffic. If your firewall has different named ACLs applied with access-group commands USE YOUR ACL NAME, NOT THE ONES IN MY ARTICLES!

I’ve followed Your Article and It Works But Everything Else Has Stopped Working!

OK remember (Reason 2) above, you need to allow the traffic out again. The simplest way to do that is with a permit ip any any command which is what you had originally*, (I prefer to only allow out what traffic needs to go out, but I’m a firewall nut!)

*Note: To avoid emails form the pedants, you actually had all protocols open, not just IP.

[box]

Assuming the last commands you issued looked something a little like..

access-list outbound permit tcp host 192.168.1.1 any eq www
access-group outbound in interface inside

Now that works, but everything else does not, you have fallen foul of the ‘implicit deny’, so allow out the traffic you want to allow out i.e.

access-list outbound permit ip any any

 

[/box]

 

Related Articles, References, Credits, or External Links

NA