Re: why ASA does NOT need an ACL to form a OSPF neighborship

Gents,

ACLs on ASA work for traffic going through the box. They do not work for
traffic destined or originated from the box. This is the main difference
between ASA and routers.

If you want to control traffic destined to the box, you have a bunch of
commands specific for a particular protocol, for example:

telnet - telnet 0 0 inside
ssh - ssh 0 0 inside
icmp - icmp permit....
isakmp - crypto isakmp enable outside
ospf - router ospf 1

etc.

You can also restrict other traffic destined to the ASA using
'control-plane' ACL.

If you really need to check what ports are opened on the ASA use 'sho asp
table socket' command.

Regards,

--
Piotr Matusiak
CCIE #19860 (R&S, Security), CCSI #33705
Technical Instructor
website: www.MicronicsTraining.com
blog: www.ccie1.com
If you can't explain it simply, you don't understand it well enough -
Albert Einstein
2012/10/4 Jay McMickle <jay.mcmickle_at_yahoo.com>
> Well, technically, yes.  Either ICMP permit, inspect icmp, or ACL for icmp.
> Unless of course, you are talking about the inside interface.  But, that
> doesn't help me understand why, but does encourage your point, Brian.  :)
>
>
>
>
> Regards,
> Jay McMickle- 3x CCNP (R&S,Security,Design), CCIE #35355 (R&S)
>
> ________________________________
>  From: Brian McGahan <bmcgahan_at_ine.com>
> To:
> Jay McMickle <jay.mcmickle_at_yahoo.com>; jeremy co <jeremy.cool14_at_gmail.com>
> Cc: Cisco certification <ccielab_at_groupstudy.com>
> Sent: Thursday, October 4,
> 2012 9:13 AM
> Subject: RE: why ASA does NOT need an ACL to form a OSPF
> neighborship
>
> It's because traffic destined to the ASA itself is treated
> differently than transit traffic.  What happens when you ping an interface
> on
> the ASA?  Do you need an access-list to allow this?
>
> Brian McGahan, CCIE #8593
> (R&S/SP/Security)
> bmcgahan_at_INE.com
>
> Internetwork Expert, Inc.
> http://www.INE.com
>
> -----Original Message-----
> From: Jay McMickle
> [mailto:jay.mcmickle_at_yahoo.com]
> Sent: Thursday, October 04, 2012 8:00 AM
> To:
> jeremy co
> Cc: Brian McGahan; Cisco certification
> Subject: Re: why ASA does NOT
> need an ACL to form a OSPF neighborship
>
> I think this is a very good question
> that I've never considered. I agree with Brian's "why", but it doesn't
> explain
> the "how".
>
> It's similar to why VPN can terminate or SSH works to the device
> without an explicit ACL allowance (other than crypto or SSH command). It
> makes
> sense that you turn it on and it listens, but not why we don't need an
> ACL. I
> think this is a very fundamental question that not even I (current CCIE and
> about to take my IE Security lab) do not know (embarrassed).
>
> With a router, I
> think of these functions at the control-plane, and being at the "center" of
> the router. The center tells me that there is an enforcement interface to
> allow/deny such processes to run. Things like this that I can verify with
> show
> control-plane host open.... type commands that show me it's listening at
> the
> "center" of the router and that I need to allow/deny at the interface in
> between the "center" and where the data (plane) needs to pass.
>
> However, where
> is this type of process running at on an ASA? Where is the verification?
> Great question Jeremy. I look forward to an educated reply here!
>
> Regards,
> Jay
> McMickle- CCIE #35355 (RS), 3x CCNP (RS,Security,Design) Sent from my
> iPhone
> On Oct 3, 2012, at 10:26 PM, jeremy co <jeremy.cool14_at_gmail.com> wrote:
>
> >
> Thanks Brian,
> >
> > How can I see via command line that it listens to which
> multicast
> > addresses ?
> >
> > On Thu, Oct 4, 2012 at 1:16 PM, Brian McGahan
> <bmcgahan_at_ine.com> wrote:
> >
> >> It starts listening for OSPF multicast when
> you turn the OSPF process
> >> on, the same as the routers do.  If it's not
> running OSPF then it
> >> just ignores those groups.
> >>
> >> Brian McGahan, CCIE
> #8593 (R&S/SP/Security) bmcgahan_at_INE.com
> >>
> >> Internetwork Expert, Inc.
> >>
> http://www.INE.com
> >>
> >> -----Original Message-----
> >> From:
> nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf
> >> Of jeremy
> co
> >> Sent: Wednesday, October 03, 2012 9:32 PM
> >> To: Cisco certification
> >>
> Subject: why ASA does NOT need an ACL to form a OSPF neighborship
> >>
> >>
> Folks,
> >>
> >> Dumb question but seems I cant figure it out.  How come ASA
> doesnt
> >> need an ACL to permit protocol 89 on outside interface to for ospf
> adjacancy?
> >>
> >> What is the behind of scene action that it does to for ospf
> adjacency ?
> >> Does asa listen to Multicast addresses by default and does not
> drop them ?
> >>
> >>
> >> I couldnt find relevant info in show asp to find the
> answer,
> >> appreciate if someone can guide me on this
> >>
> >>
> >> Where on CLI
> I can verify if it listens to multicast ?
> >>
> >> Thanks
> >>
> >>
> >> Blogs and
> organic groups at http://www.ccie.net
> >>
> >>
> _____________________________________________________________________
> >> __
> Subscription information may be found at:
> >>
> http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > Blogs and organic groups
> at http://www.ccie.net
> >
> >
> ______________________________________________________________________
> > _
> Subscription information may be found at:
> >
> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at
> http://www.ccie.net
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net