https://community.cisco.com/t5/network-security/quick-acl-question-on-asa/m-p/1717866#M557999 <HTML><HEAD></HEAD><BODY><P>Thank you very much for the response.&nbsp; That was what I thought was going to happen.</P><P></P><P>Also thanks for reminding me about the access-group.&nbsp; Guess I should wake up a bit more before asking questions!</P><P></P><P>Thanks again.</P></BODY></HTML> Wed, 13 Apr 2011 12:40:38 GMT galloway13 2011-04-13T12:40:38Z https://community.cisco.com/t5/network-security/quick-acl-question-on-asa/m-p/1717864#M557996 <P>I think I know the answer to this but just wanted to confirm it.</P><P></P><P>If I am using an ASA5505, and I have a configuration similar to below, I see that the untrusted interface is only allowed to ftp to 192.168.1.5. Since the trusted interface is not limited to ftp only can it basically run any protocol it wants to 10.20.30.2, or does it get limited to only ftp by the other ACL on returning packets.</P><P></P><P>Also, is the ACL applied to the interface because the ACL's name is the name of the interface?</P><P></P><P>interface gig1/1</P><P>nameif trusted</P><P>security-level 100</P><P>ip address 192.168.1.2</P><P></P><P>interface gig1/2</P><P>nameif untrusted</P><P>security-level 0</P><P>ipaddress 10.20.30.1</P><P></P><P></P><P>access-list trusted extended permit ip host 192.168.1.5 host 10.20.30.2</P><P>access-list untrusted extended permit tcp host 10.20.30.2 host 192.168.1.5 eq ftp</P><P></P><P>Thanks,</P><P></P><P>Jay</P> Mon, 11 Mar 2019 20:20:10 GMT https://community.cisco.com/t5/network-security/quick-acl-question-on-asa/m-p/1717864#M557996 galloway13 2019-03-11T20:20:10Z https://community.cisco.com/t5/network-security/quick-acl-question-on-asa/m-p/1717865#M557998 <HTML><HEAD></HEAD><BODY><P>Hi Jay,</P><P></P><P>The access-list needs to be applied to an interface. You use the <STRONG>access-group</STRONG> command to do that.</P><P>access-group <ACCESS-LIST name=""> <DIRECTION> interface <INTERFACE name=""></INTERFACE></DIRECTION></ACCESS-LIST></P><P>ex: access-group trusted in interface trusted would apply the "trusted" access-list on the trusted interface.</P><P></P><P>For TCP traffic, the replies are allowed without checking the ACL entry. So it is not restricted to only FTP for the trusted side.</P><P></P><P>The reason is, that a connection entry already exists when the initial SYN packet goes from trusted to untrusted.</P><P>When return traffic comes, first the connection table is looked up. If a connection entry is not found,&nbsp; then only will the access-list be checked. If the entry is found, then traffic is allowed to go through.</P><P></P><P>Thus for things like ICMP(which is non-TCP), you need to have "inspect icmp" in the global policy map, else the ICMP replies are denied, since only ftp is allowed from untrusted to trusted access-list.</P><P></P><P>Hope this helps.</P><P></P><P>-Shrikant</P><P></P><P>P.S.: Please mark the question as answered, if it has been resolved. Do rate helpful posts. Thanks.</P></BODY></HTML> Wed, 13 Apr 2011 12:31:34 GMT https://community.cisco.com/t5/network-security/quick-acl-question-on-asa/m-p/1717865#M557998 Shrikant Sundaresh 2011-04-13T12:31:34Z https://community.cisco.com/t5/network-security/quick-acl-question-on-asa/m-p/1717866#M557999 <HTML><HEAD></HEAD><BODY><P>Thank you very much for the response.&nbsp; That was what I thought was going to happen.</P><P></P><P>Also thanks for reminding me about the access-group.&nbsp; Guess I should wake up a bit more before asking questions!</P><P></P><P>Thanks again.</P></BODY></HTML> Wed, 13 Apr 2011 12:40:38 GMT https://community.cisco.com/t5/network-security/quick-acl-question-on-asa/m-p/1717866#M557999 galloway13 2011-04-13T12:40:38Z