RE: why ASA does NOT need an ACL to form a OSPF neighborship

It's because traffic destined to the ASA itself is treated differently than transit traffic. What happens when you ping an interface on the ASA? Do you need an access-list to allow this?

Brian McGahan, CCIE #8593 (R&S/SP/Security)
bmcgahan_at_INE.com

Internetwork Expert, Inc.
http://www.INE.com

-----Original Message-----
From: Jay McMickle [mailto:jay.mcmickle_at_yahoo.com]
Sent: Thursday, October 04, 2012 8:00 AM
To: jeremy co
Cc: Brian McGahan; Cisco certification
Subject: Re: why ASA does NOT need an ACL to form a OSPF neighborship

I think this is a very good question that I've never considered. I agree with Brian's "why", but it doesn't explain the "how".

It's similar to why VPN can terminate or SSH works to the device without an explicit ACL allowance (other than crypto or SSH command). It makes sense that you turn it on and it listens, but not why we don't need an ACL. I think this is a very fundamental question that not even I (current CCIE and about to take my IE Security lab) do not know (embarrassed).

With a router, I think of these functions at the control-plane, and being at the "center" of the router. The center tells me that there is an enforcement interface to allow/deny such processes to run. Things like this that I can verify with show control-plane host open.... type commands that show me it's listening at the "center" of the router and that I need to allow/deny at the interface in between the "center" and where the data (plane) needs to pass.

However, where is this type of process running at on an ASA? Where is the verification?

Great question Jeremy. I look forward to an educated reply here!

Regards,
Jay McMickle- CCIE #35355 (RS), 3x CCNP (RS,Security,Design) Sent from my iPhone

On Oct 3, 2012, at 10:26 PM, jeremy co <jeremy.cool14_at_gmail.com> wrote:

> Thanks Brian,
>
> How can I see via command line that it listens to which multicast
> addresses ?
>
> On Thu, Oct 4, 2012 at 1:16 PM, Brian McGahan <bmcgahan_at_ine.com> wrote:
>
>> It starts listening for OSPF multicast when you turn the OSPF process
>> on, the same as the routers do. If it's not running OSPF then it
>> just ignores those groups.
>>
>> Brian McGahan, CCIE #8593 (R&S/SP/Security) bmcgahan_at_INE.com
>>
>> Internetwork Expert, Inc.
>> http://www.INE.com
>>
>> -----Original Message-----
>> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf
>> Of jeremy co
>> Sent: Wednesday, October 03, 2012 9:32 PM
>> To: Cisco certification
>> Subject: why ASA does NOT need an ACL to form a OSPF neighborship
>>
>> Folks,
>>
>> Dumb question but seems I cant figure it out. How come ASA doesnt
>> need an ACL to permit protocol 89 on outside interface to for ospf adjacancy?
>>
>> What is the behind of scene action that it does to for ospf adjacency ?
>> Does asa listen to Multicast addresses by default and does not drop them ?
>>
>>
>> I couldnt find relevant info in show asp to find the answer,
>> appreciate if someone can guide me on this
>>
>>
>> Where on CLI I can verify if it listens to multicast ?
>>
>> Thanks
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _____________________________________________________________________
>> __ Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> ______________________________________________________________________
> _ Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Thu Oct 04 2012 - 09:13:57 ART