Re: why ASA does NOT need an ACL to form a OSPF neighborship

Well, technically, yes. Either ICMP permit, inspect icmp, or ACL for icmp.
Unless of course, you are talking about the inside interface. But, that
doesn't help me understand why, but does encourage your point, Brian. :)

 
 
Regards,
Jay McMickle- 3x CCNP (R&S,Security,Design), CCIE #35355 (R&S)
 
________________________________
 From: Brian McGahan <bmcgahan_at_ine.com>
To:
Jay McMickle <jay.mcmickle_at_yahoo.com>; jeremy co <jeremy.cool14_at_gmail.com>
Cc: Cisco certification <ccielab_at_groupstudy.com>
Sent: Thursday, October 4,
2012 9:13 AM
Subject: RE: why ASA does NOT need an ACL to form a OSPF
neighborship
 
It's because traffic destined to the ASA itself is treated
differently than transit traffic. What happens when you ping an interface on
the ASA? Do you need an access-list to allow this?

Brian McGahan, CCIE #8593
(R&S/SP/Security)
bmcgahan_at_INE.com

Internetwork Expert, Inc.
http://www.INE.com

-----Original Message-----
From: Jay McMickle
[mailto:jay.mcmickle_at_yahoo.com]
Sent: Thursday, October 04, 2012 8:00 AM
To:
jeremy co
Cc: Brian McGahan; Cisco certification
Subject: Re: why ASA does NOT
need an ACL to form a OSPF neighborship

I think this is a very good question
that I've never considered. I agree with Brian's "why", but it doesn't explain
the "how".

It's similar to why VPN can terminate or SSH works to the device
without an explicit ACL allowance (other than crypto or SSH command). It makes
sense that you turn it on and it listens, but not why we don't need an ACL. I
think this is a very fundamental question that not even I (current CCIE and
about to take my IE Security lab) do not know (embarrassed).

With a router, I
think of these functions at the control-plane, and being at the "center" of
the router. The center tells me that there is an enforcement interface to
allow/deny such processes to run. Things like this that I can verify with show
control-plane host open.... type commands that show me it's listening at the
"center" of the router and that I need to allow/deny at the interface in
between the "center" and where the data (plane) needs to pass.

However, where
is this type of process running at on an ASA? Where is the verification?
Great question Jeremy. I look forward to an educated reply here!

Regards,
Jay
McMickle- CCIE #35355 (RS), 3x CCNP (RS,Security,Design) Sent from my iPhone
On Oct 3, 2012, at 10:26 PM, jeremy co <jeremy.cool14_at_gmail.com> wrote:

>
Thanks Brian,
>
> How can I see via command line that it listens to which
multicast
> addresses ?
>
> On Thu, Oct 4, 2012 at 1:16 PM, Brian McGahan
<bmcgahan_at_ine.com> wrote:
>
>> It starts listening for OSPF multicast when
you turn the OSPF process
>> on, the same as the routers do. If it's not
running OSPF then it
>> just ignores those groups.
>>
>> Brian McGahan, CCIE
#8593 (R&S/SP/Security) bmcgahan_at_INE.com
>>
>> Internetwork Expert, Inc.
>>
http://www.INE.com
>>
>> -----Original Message-----
>> From:
nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf
>> Of jeremy
co
>> Sent: Wednesday, October 03, 2012 9:32 PM
>> To: Cisco certification
>>
Subject: why ASA does NOT need an ACL to form a OSPF neighborship
>>
>>
Folks,
>>
>> Dumb question but seems I cant figure it out. How come ASA
doesnt
>> need an ACL to permit protocol 89 on outside interface to for ospf
adjacancy?
>>
>> What is the behind of scene action that it does to for ospf
adjacency ?
>> Does asa listen to Multicast addresses by default and does not
drop them ?
>>
>>
>> I couldnt find relevant info in show asp to find the
answer,
>> appreciate if someone can guide me on this
>>
>>
>> Where on CLI
I can verify if it listens to multicast ?
>>
>> Thanks
>>
>>
>> Blogs and
organic groups at http://www.ccie.net
>>
>>
Received on Thu Oct 04 2012 - 13:28:15 ART