Security

Hello everyone,

Recently I have had some doubts regarding ACLs.

1 - What is the difference using "user" and "any" and what is the best use case for both?

2 - Using "user" as source allows traffic in the opposite direction? For example if I create a ACL like "user network 10.0.0.0 255.0.0.0 any permit", does it will allow traffic from the network to the user or do I need to create a ACL like "network 10.0.0.0 255.0.0.0 user any permit" to allow this communication?

3 - Using this two ACLs:

user network 10.0.0.0 255.0.0.0 any permit

network 10.0.0.0 255.0.0.0 user any permit

Works the same way as this one? If yes, what is the best practice?

any network 10.0.0.0 255.0.0.0 any permit

Thanks in advance

I'm going to speak to the way "user" is supposed to be used, which unfortunately there are some versions where the functionality was changed and later reverted back.

User is an alias for the actual user session and when evaluating policy will only resolve to the user that the policy is being evaluated against.  Access lists in AOS are stateful/reflexive, the session is always tracked so that return traffic can be allowed.

Any is just that, an alias for everything.

The difference between the two is that User is required to evaluate to the session/user/ip that the policy is evaluating to allow traffic to.  Any allows for traffic to targets that aren't valid within the user table.

There's some additional considerations required when using role-to-role policies that I'll not get into here to hopefully avoid confusion.

So for your examples, if the intention is to allow a known user of the system to access resources on the 10.0.0.0/8 network the usage is just:

user network 10.0.0.0 255.0.0.0 any permit