Re: why ASA does NOT need an ACL to form a OSPF neighborship

Thanks.

 
 
Regards,
Jay McMickle- 3x CCNP (R&S,Security,Design), CCIE #35355
(R&S)
 

________________________________
 From: Piotr Matusiak
<pitt2k_at_gmail.com>
To: Jay McMickle <jay.mcmickle_at_yahoo.com>
Cc: Brian
McGahan <bmcgahan_at_ine.com>; jeremy co <jeremy.cool14_at_gmail.com>; Cisco
certification <ccielab_at_groupstudy.com>
Sent: Thursday, October 4, 2012 3:53
PM
Subject: Re: why ASA does NOT need an ACL to form a OSPF neighborship
Gents,

ACLs on ASA work for traffic going through the box. They do not work
for
traffic destined or originated from the box. This is the main difference
between ASA and routers.

If you want to control traffic destined to the box,
you have a bunch of
commands specific for a particular protocol, for example:
telnet - telnet 0 0 inside
ssh - ssh 0 0 inside
icmp - icmp permit....
isakmp
- crypto isakmp enable outside
ospf - router ospf 1

etc.

You can also
restrict other traffic destined to the ASA using
'control-plane' ACL.

If you
really need to check what ports are opened on the ASA use 'sho asp
table
socket' command.

Regards,

--
Piotr Matusiak
CCIE #19860 (R&S, Security), CCSI
#33705
Technical Instructor
website: www.MicronicsTraining.com
blog:
www.ccie1.com
If you can't explain it simply, you don't understand it well
enough -
Albert Einstein
2012/10/4 Jay McMickle <jay.mcmickle_at_yahoo.com>
>
Well, technically, yes.  Either ICMP permit, inspect icmp, or ACL for icmp.
>
Unless of course, you are talking about the inside interface.  But, that
>
doesn't help me understand why, but does encourage your point, Brian.  :)
>
>
>
>
> Regards,
> Jay McMickle- 3x CCNP (R&S,Security,Design), CCIE #35355
(R&S)
>
> ________________________________
>  From: Brian McGahan
<bmcgahan_at_ine.com>
> To:
> Jay McMickle <jay.mcmickle_at_yahoo.com>; jeremy co
<jeremy.cool14_at_gmail.com>
> Cc: Cisco certification <ccielab_at_groupstudy.com>
>
Sent: Thursday, October 4,
> 2012 9:13 AM
> Subject: RE: why ASA does NOT need
an ACL to form a OSPF
> neighborship
>
> It's because traffic destined to the
ASA itself is treated
> differently than transit traffic.  What happens when
you ping an interface
> on
> the ASA?  Do you need an access-list to allow
this?
>
> Brian McGahan, CCIE #8593
> (R&S/SP/Security)
> bmcgahan_at_INE.com
>
>
Internetwork Expert, Inc.
> http://www.INE.com
>
> -----Original Message-----
> From: Jay McMickle
> [mailto:jay.mcmickle_at_yahoo.com]
> Sent: Thursday,
October 04, 2012 8:00 AM
> To:
> jeremy co
> Cc: Brian McGahan; Cisco
certification
> Subject: Re: why ASA does NOT
> need an ACL to form a OSPF
neighborship
>
> I think this is a very good question
> that I've never
considered. I agree with Brian's "why", but it doesn't
> explain
> the "how".
>
> It's similar to why VPN can terminate or SSH works to the device
> without
an explicit ACL allowance (other than crypto or SSH command). It
> makes
>
sense that you turn it on and it listens, but not why we don't need an
> ACL.
I
> think this is a very fundamental question that not even I (current CCIE
and
> about to take my IE Security lab) do not know (embarrassed).
>
> With a
router, I
> think of these functions at the control-plane, and being at the
"center" of
> the router. The center tells me that there is an enforcement
interface to
> allow/deny such processes to run. Things like this that I can
verify with
> show
> control-plane host open.... type commands that show me
it's listening at
> the
> "center" of the router and that I need to allow/deny
at the interface in
> between the "center" and where the data (plane) needs to
pass.
>
> However, where
> is this type of process running at on an ASA? Where
is the verification?
> Great question Jeremy. I look forward to an educated
reply here!
>
> Regards,
> Jay
> McMickle- CCIE #35355 (RS), 3x CCNP
(RS,Security,Design) Sent from my
> iPhone
> On Oct 3, 2012, at 10:26 PM,
jeremy co <jeremy.cool14_at_gmail.com> wrote:
>
> >
> Thanks Brian,
> >
> > How
can I see via command line that it listens to which
> multicast
> > addresses
?
> >
> > On Thu, Oct 4, 2012 at 1:16 PM, Brian McGahan
> <bmcgahan_at_ine.com>
wrote:
> >
> >> It starts listening for OSPF multicast when
> you turn the
OSPF process
> >> on, the same as the routers do.  If it's not
> running OSPF
then it
> >> just ignores those groups.
> >>
> >> Brian McGahan, CCIE
> #8593
(R&S/SP/Security) bmcgahan_at_INE.com
> >>
> >> Internetwork Expert, Inc.
> >>
>
http://www.INE.com
> >>
> >> -----Original Message-----
> >> From:
>
nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf
> >> Of jeremy
> co
> >> Sent: Wednesday, October 03, 2012 9:32 PM
> >> To: Cisco
certification
> >>
> Subject: why ASA does NOT need an ACL to form a OSPF
neighborship
> >>
> >>
> Folks,
> >>
> >> Dumb question but seems I cant
figure it out.  How come ASA
> doesnt
> >> need an ACL to permit protocol 89
on outside interface to for ospf
> adjacancy?
> >>
> >> What is the behind of
scene action that it does to for ospf
> adjacency ?
> >> Does asa listen to
Multicast addresses by default and does not
> drop them ?
> >>
> >>
> >> I
couldnt find relevant info in show asp to find the
> answer,
> >> appreciate
if someone can guide me on this
> >>
> >>
> >> Where on CLI
> I can verify if
it listens to multicast ?
> >>
> >> Thanks
> >>
> >>
> >> Blogs and
> organic
groups at http://www.ccie.net
> >>
> >>
>