topic ASA ACLs in Network Security

ASA ACLs

xayavongp — Mon, 11 Mar 2019 23:39:55 GMT

I would like to add an extended ACL line (in order to use objects) to an existing named standard ACL. I think this should be possible ?

access-list <name1> standard permit < >

access-list <name1> extended permit < > < >

access-list <name1> standard deny any

Would I also need to add an extended deny ip any any for it to process the extended lines at the end ? I assume the standard can but won't look at destination ?

Thanks in advance,

Pete

ASA ACLs

Jennifer Halim — Thu, 09 Aug 2012 13:01:26 GMT

You can't have the same ACL with both standard and extended line in it.

Where do you assign the access-list?

To answer your question, you don't need to configure "deny any" or "deny ip any any" because at the end of the access-list, there is an implicit deny, so you don't need to explicitly configure "deny any" or "deny ip any any.

ASA ACLs

xayavongp — Thu, 09 Aug 2012 13:58:27 GMT

Can you point me to a document or reference? This ACL is a multicast boundary ACL.

The exisiting ACL is standard. So if this is true I would need to make that all extended since I can't mix standard and extended ACL. It would easier (with objects) to have 4 lines versus 30 lines in the ACL.

ASA ACLs

riderfaiz — Thu, 09 Aug 2012 17:52:28 GMT

Hi Xayavonqp

I am not very good at ACL but my work needs it Jennifer is right... you cannot have standard and extended together in a same ACL set.

If you want to add some entries to a current acl...what I would do usually is:

1.) Do a "show access-list (acl name or number). And copy them on a notepad or so.

2.) In the ACL List, you will see line numbers for each entry... This may be important if you want which acl entry prior to reach first...as you know the cisco device read and analyze each entry one by one by the orders. Remember, the implicit is always deny any any at the end of any acls.

3.) Create a entry with the line number (eg:access-list name line 50 extended permit tcp any host.....)

4.) The entry you add would not over written the same numbe of line (for example in this case is 50), instead those current entries would be put down one more (like adding a row in Excel in a table, in this case, the original entry line number with 50 now will turn to be 51, and the new one you add will be line 50).

Personally...to review access list on a fw, I like to use GUI...as it is easier to review and modify if you have over hundred and hundred lines there.

I hope you understand what I tried to say Good luck!

Takami chiro

ASA ACLs

Jennifer Halim — Fri, 10 Aug 2012 04:12:40 GMT

what device are you configuring the acl on, and what is the version of the device?

ASA ACLs

xayavongp — Thu, 06 Sep 2012 20:58:39 GMT

Sorry for the late replies but I just went ahead and converted it all to extended ACLs.