https://community.cisco.com/t5/network-security/acl-logic-please-confirm/m-p/4761081#M1097131 <P>Yes, all traffic from inside would match the first rule and never match the more specific rules below.</P> Tue, 24 Jan 2023 16:04:41 GMT Rob Ingram 2023-01-24T16:04:41Z https://community.cisco.com/t5/network-security/acl-logic-please-confirm/m-p/4760968#M1097125 <P>ACL logic, please confirm.</P><P>On an ASA 5525...</P><P>"access-list inside_in extended permit tcp host 172.16.0.2 host 1.1.1.1 eq 2222"</P><P><STRONG>Is the following a true statement?</STRONG>... "Host 172.16.0.2 <STRONG>using source port 5678 and destination port 2222</STRONG> will be able to send, and during this same session receive, <STRONG>sftp traffic</STRONG> to and from remote host 1.1.1.1 ."</P><P>Thank you.</P> Tue, 24 Jan 2023 13:43:23 GMT https://community.cisco.com/t5/network-security/acl-logic-please-confirm/m-p/4760968#M1097125 MicJameson1 2023-01-24T13:43:23Z https://community.cisco.com/t5/network-security/acl-logic-please-confirm/m-p/4761017#M1097126 <P>This probably belongs here:&nbsp;<A href="https://community.cisco.com/t5/network-security/bd-p/discussions-network-security" target="_blank">https://community.cisco.com/t5/network-security/bd-p/discussions-network-security</A></P> <P>But yes; source = 172.16.0.2, destination = 1.1.1.1, destination port = TCP/2222, permit</P> Tue, 24 Jan 2023 14:25:21 GMT https://community.cisco.com/t5/network-security/acl-logic-please-confirm/m-p/4761017#M1097126 ahollifield 2023-01-24T14:25:21Z https://community.cisco.com/t5/network-security/acl-logic-please-confirm/m-p/4761043#M1097127 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1443661">@MicJameson1</a> yes and assuming the correct direction and interface is configured - "access-group inside_in <STRONG>in</STRONG> interface <STRONG>inside</STRONG>"</P> Tue, 24 Jan 2023 15:14:32 GMT https://community.cisco.com/t5/network-security/acl-logic-please-confirm/m-p/4761043#M1097127 Rob Ingram 2023-01-24T15:14:32Z https://community.cisco.com/t5/network-security/acl-logic-please-confirm/m-p/4761070#M1097130 <P>I only ask the basic below question because ASAs differ from other Cisco devices, and also the below config already exists in this active production ASA 5525...</P><P>"<STRONG>access-list inside_in extended permit ip any any</STRONG><BR />access-list inside_in extended permit tcp host 172.16.1.5 any eq 2222<BR />access-list inside_in extended permit tcp host 172.16.1.5 any eq ssh<BR />access-list inside_in extended permit tcp host 172.16.1.6 any eq ssh<BR />access-list inside_in extended deny tcp any any eq ssh<BR />access-list inside_in extended permit ip host 172.16.1.5 any"</P><P><STRONG>Doesn't the line "<EM>access-list inside_in extended permit ip any any</EM>" make irrelevant the five lines below it?</STRONG></P><P>Thank you.</P><P>&nbsp;</P> Tue, 24 Jan 2023 15:56:11 GMT https://community.cisco.com/t5/network-security/acl-logic-please-confirm/m-p/4761070#M1097130 MicJameson1 2023-01-24T15:56:11Z https://community.cisco.com/t5/network-security/acl-logic-please-confirm/m-p/4761081#M1097131 <P>Yes, all traffic from inside would match the first rule and never match the more specific rules below.</P> Tue, 24 Jan 2023 16:04:41 GMT https://community.cisco.com/t5/network-security/acl-logic-please-confirm/m-p/4761081#M1097131 Rob Ingram 2023-01-24T16:04:41Z https://community.cisco.com/t5/network-security/acl-logic-please-confirm/m-p/4761104#M1097133 <P>to check acl do<BR />show access-list &lt;&lt;- then check the hitcnt,&nbsp;<BR />hitcnt will give fast review if the ACL permit/deny any traffic.&nbsp;</P> Tue, 24 Jan 2023 16:35:50 GMT https://community.cisco.com/t5/network-security/acl-logic-please-confirm/m-p/4761104#M1097133 MHM Cisco World 2023-01-24T16:35:50Z https://community.cisco.com/t5/network-security/acl-logic-please-confirm/m-p/4761179#M1097144 <P>Hi Rob.</P><P>May you also please answer these two questions?</P><P><STRONG>1.</STRONG> "access-list inside_in extended deny tcp any any eq domain"-- <STRONG>Does this mean any elements that use tcp with a domain instead of an IP address will be blocked by the ACL?</STRONG></P><P><STRONG>2.</STRONG> "access-list inside_in extended deny tcp any any range 137 netbios-ssn"--&nbsp;<STRONG>What does "range 137 netbios-ssn" mean?</STRONG></P><P><STRONG>Thank you.</STRONG></P> Tue, 24 Jan 2023 18:00:37 GMT https://community.cisco.com/t5/network-security/acl-logic-please-confirm/m-p/4761179#M1097144 MicJameson1 2023-01-24T18:00:37Z https://community.cisco.com/t5/network-security/acl-logic-please-confirm/m-p/4761193#M1097147 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1443661">@MicJameson1</a> no, "domain" is the name for DNS over TCP on port 53. So that rule is denying an traffic on tcp/53.</P> <P>"netbios-ssn" is udp/139 - so essentially thats a range of 137-139</P> Tue, 24 Jan 2023 18:09:24 GMT https://community.cisco.com/t5/network-security/acl-logic-please-confirm/m-p/4761193#M1097147 Rob Ingram 2023-01-24T18:09:24Z