This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Cisco ASA to Palo Alto

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Cisco ASA to Palo Alto

SureshBalaji
L0 Member

‎04-07-2020 03:51 PM

Hi Team, we recently migrated from cisco ASA to Palo Alto 3220, where for one of the policy in cisco ASA has " access-list inside-egress extended permit ip any any", And this access-list is attached to the access-group to the interface "inside". as you can see below.

"access-group inside-egress out interface inside"

as per my understanding from cisco perspective for this access group the traffic which egresses out of the interface named "inside", should evaluate the against the access-list "inside-egress". The following are the access-list related to inside-egress.   

 

access-list inside-egress extended permit icmp host 10.197.37.212 host 10.15.126.119
access-list inside-egress extended permit tcp host 10.16.17.9 host 10.15.4.84 eq 5707 log interval 1
access-list inside-egress extended permit ip any any

 

When it is converted to Palo Alto, for the " access-list inside-egress extended permit ip any any"  tool created a policy stating 

Source zone - any, Source subnet- any to destination-subnet- any, destination-zone - "inside" with allow action.

 

Basically anything from anywhere were allowed to inside zone (which is dangerous wide open policy).

 

How we can rectify this, need your advise, for the access-group with "out" attached to the interface and having "permit ip any any" accesslist.

 

 

 

 

0 Likes Likes
2 REPLIES 2

SutareMayur
L6 Presenter

‎04-08-2020 04:24 AM

@SureshBalaji

 

First of all, you shouldn't allow anything coming any destination  zone with source any. I would recommend you to go through the the networks those need to be allowed and allow required subnets only, that too with specific zones. 

 

Mayur 

M

Check out my YouTube channel - https://www.youtube.com/@NetworkTalks
0 Likes Likes

johnde
L2 Linker

‎04-08-2020 04:43 AM

@SureshBalaji Your security policy should not configure with any any. At least you should restrict policy for specific zones.

 

I am fully agreed with @SutareMayur .

 

 

0 Likes Likes
  • 2317 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks