Cisco ASA to Palo Alto

Reply
Highlighted
L0 Member

Cisco ASA to Palo Alto

Hi Team, we recently migrated from cisco ASA to Palo Alto 3220, where for one of the policy in cisco ASA has " access-list inside-egress extended permit ip any any", And this access-list is attached to the access-group to the interface "inside". as you can see below.

"access-group inside-egress out interface inside"

as per my understanding from cisco perspective for this access group the traffic which egresses out of the interface named "inside", should evaluate the against the access-list "inside-egress". The following are the access-list related to inside-egress.   

 

access-list inside-egress extended permit icmp host 10.197.37.212 host 10.15.126.119
access-list inside-egress extended permit tcp host 10.16.17.9 host 10.15.4.84 eq 5707 log interval 1
access-list inside-egress extended permit ip any any

 

When it is converted to Palo Alto, for the " access-list inside-egress extended permit ip any any"  tool created a policy stating 

Source zone - any, Source subnet- any to destination-subnet- any, destination-zone - "inside" with allow action.

 

Basically anything from anywhere were allowed to inside zone (which is dangerous wide open policy).

 

How we can rectify this, need your advise, for the access-group with "out" attached to the interface and having "permit ip any any" accesslist.

 

 

 

 

Highlighted
L5 Sessionator

Re: Cisco ASA to Palo Alto

@SureshBalaji

 

First of all, you shouldn't allow anything coming any destination  zone with source any. I would recommend you to go through the the networks those need to be allowed and allow required subnets only, that too with specific zones. 

 

Mayur 



Mayur Sutare
Highlighted
L2 Linker

Re: Cisco ASA to Palo Alto

@SureshBalaji Your security policy should not configure with any any. At least you should restrict policy for specific zones.

 

I am fully agreed with @SutareMayur .

 

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!