topic Re: diffence between Access rules and ACL Manager in Network Security

diffence between Access rules and ACL Manager

zain_gabon — Mon, 11 Mar 2019 20:32:17 GMT

Dear Support,

Can somebody clarify for me the difference between creating rules using Access rules and using ACL Manager?

when i create a rule graphically, i see it on ASDM and when i create the same rule using cli, i cannot see it on Access rules, i can, only see it on ACL Manager, so it's not clear for between access rules and ACL Manger.

Cout on you

Thanks

Re: diffence between Access rules and ACL Manager

Maykol Rojas — Wed, 11 May 2011 23:25:14 GMT

Hi,

When you create ACL's with the manager, those acls are not applied for permitting or denying traffic on an interface. They are used for matching criteria. For example, to be used no a policy nat, QoS, VPN tunnel interesting traffic etc.

Cheers

Mike.

Re: diffence between Access rules and ACL Manager

zain_gabon — Thu, 12 May 2011 06:39:47 GMT

Hi Mike,

Thanks a lot for you quick response,

That means, if i need to create a policy for permetting trafic, i need to use Access Rules Under Firewall Menu?

Another Thing, when i create a policy with Access rule, it's automatically create a ACL on ACL Manager, Wht this?

Thanks

Re: diffence between Access rules and ACL Manager

varrao — Thu, 12 May 2011 07:02:51 GMT

Hi Zain,

What Mike said is absolutely correct...whenever you are creating an interface ACL you would have to do it from the ACL option, thats why you see ACL's there under each interface.

As per the ACL manager, those ACL's are not used for filtering incoming traffic, rather than matching the traffic in different configuration such as QoS, captures, tunnels. In the ACL manager you would see the ACL's as per their names rather than the interface.Mike was spot on for this.

Thanks,

Varun

Re: diffence between Access rules and ACL Manager

zain_gabon — Thu, 12 May 2011 07:15:31 GMT

Thanks, Varun,

Not really clear for me, First, i just want to allow users in inside network to access to Internet. What to do in this case?

what is the cli command ?

interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 10.10.10.10 255.255.255.0

interface GigabitEthernet0/1
nameif outside
security-level 100
ip address 192.168.2.1 255.255.255.0

The users are behind inside interface

Regards

Re: diffence between Access rules and ACL Manager

varrao — Thu, 12 May 2011 07:20:57 GMT

Hi Zain,

For accessing the internet from inside, you dont need an access-list, because inside interface is your highly secured network (security-level 100) and high security to low secutiy traffic is implicitly allowed.

I woudl also suggest you to plz follow this thread, most of you questions would be answered here:

https://supportforums.cisco.com/thread/2083101?tstart=0

Plz let me know if you have any queries regarding it.

Thanks,

Varun

Re: diffence between Access rules and ACL Manager

varrao — Thu, 12 May 2011 07:29:37 GMT

For internet access you would require the following configuration:

nat (inside) 1 192.168.2.0 255.255.255.0

global (outside) 1 interface

route 0 0

This should be enough for the users to get internet access.

Thanks,

Varun

Re: diffence between Access rules and ACL Manager

zain_gabon — Thu, 12 May 2011 07:33:17 GMT

Thanks Varun,

I have already read the think you send to me.

Sorry, it' not clear for me. i' have a cisco ASA 5520 on my table for making test.

i'm doing many scenarios and have many differences. Creating policy using CLI and ASDM and i don't have the same result, it's confused for me.

For example, i want to allow trafic from internet to go to smtp server which located on dmz (i did correctly the static nat), sometime i see a access-list under ACL, but nothing on Access Rules and vis versa.

Regards

Re: diffence between Access rules and ACL Manager

varrao — Thu, 12 May 2011 07:40:34 GMT

Hi Zain,

Lets take up your requirement one by one, and try and configure it through CLI(we'll leave the ASDM for a while).

If your SMTP server is on the DMZ then you would need to configure the following:

static (dmz,outside) < Real ip of server>

access-list outside_access_in extended permit tcp any host eq 25

access-list outside_access_in extended permit tcp any host eq 110

access-group outside_access_inin interface outside

Let me know what your other requirement is.

You might have missed this command:

access-group outside_access_inin interface outside

this applies the ACL on outside interface.

Thanks,

Varun

Re: diffence between Access rules and ACL Manager

zain_gabon — Thu, 12 May 2011 08:07:07 GMT

It's work Fine,

Thanks a lol Varun for your precious Help,

The problem was to apply the ACL on the Interface.

access-group outside_access_in in interface outside

Many Thanks, i understand,

Re: diffence between Access rules and ACL Manager

varrao — Thu, 12 May 2011 08:18:37 GMT

No problem Zain , let me know if you get stuck anywhere, you can post on this thread only.

Thanks,

Varun

Re: diffence between Access rules and ACL Manager

zain_gabon — Thu, 12 May 2011 09:55:26 GMT

Dear Varun,

To close with my interrogation, please, how many access-group we can have by interface?

Regards

Re: diffence between Access rules and ACL Manager

varrao — Thu, 12 May 2011 10:01:33 GMT

Zain,

You can only have one access-group per interface, so if you have 3 interfaces then you can create just 3 access-groups, one for each interface.

For multiple ACL's on same interface, just keep the same names for them:

access-list DMZ_in extended permit tcp host 192.168.2.80 host 192.168.1.12 eq smtp
access-list DMZ_In extended permit tcp host 192.168.2.80 host 192.168.36.7 eq smtp
access-list DMZ_In extended permit tcp host 192.168.2.80 host 192.168.58.12 eq smtp
access-list DMZ_In extended permit tcp host 192.168.2.80 host 192.168.8.21 eq smtp
access-list DMZ_In extended permit udp host 192.168.2.100 host 192.168.15.2
access-list DMZ_In extended permit ip host 192.168.2.100 host 192.168.100.1
access-list DMZ_In extended permit ip host 192.168.2.10 192.168.116.0 255.255.255.0

access-group DMZ_In in interface DMZ

Hope this helps you.

Thanks,

Varun

Re: diffence between Access rules and ACL Manager

zain_gabon — Thu, 12 May 2011 10:06:38 GMT

Many Thanks,

With your help, i understand my Cisco ASA

Regars

Re: diffence between Access rules and ACL Manager

andamani — Thu, 12 May 2011 12:59:23 GMT

Hi Zain,

You can have to access-group per interface.

1. inbound

2. outbound

E.g. access-list test extended permit ip any any
access-group test in interface inside
access-group test out interface inside

Hope this helps.

Regards,

Anisha

P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.

Re: diffence between Access rules and ACL Manager

zain_gabon — Fri, 13 May 2011 06:45:35 GMT

Dear Anisha,

Many Thanks for your help, this really help me

Regards

Re: diffence between Access rules and ACL Manager

zain_gabon — Sat, 14 May 2011 06:30:35 GMT

Dear Anisha,

Thanks for you help, but i want to know what is the difference between theses lines:

access-group test in interface inside
access-group test out interface inside

when we need to use IN and when to use OUT ?

Regards

Re: diffence between Access rules and ACL Manager

varrao — Sat, 14 May 2011 07:06:10 GMT

Hi Zain,

Its the difference of the direction of traffic flow out of the interface,i if the traffic is in ingress direction, then we use in interafce inside but if we want to apply

ACL for traffic going out of the interface we use out interface inside. Here is a sdmqall diagram:

outside-------------------ASA--------------------Inside

-------------------------->

out interafce inside

outside--------------------ASA-------------------Inside

<-------------------------------

in interafce inside

I hope this would help you in understanding it better.

Thanks,

Varun

Re: diffence between Access rules and ACL Manager

varrao — Sat, 14 May 2011 07:11:47 GMT

Hi Zain,

This should clear out things better:

http://www.cisco.com/en/US/partner/docs/security/asa/asa82/command/reference/a1.html#wp1558618

Thanks,

Varun

Re: diffence between Access rules and ACL Manager

zain_gabon — Sat, 14 May 2011 07:23:48 GMT

Hi Varun,

it's very clear and thanks,

in my case, i want to allow outside trafic comming from Internet to my web server located in dmz, the direction of trafic will be out interface outside?

Internet-----------ASA------------dmz

-------------------------------------> trafic is from internet to my asa

here is my access-list and access-group

access-list outside_access_in extended permit tcp any host eq www

access-group outside_access_in in interface out

why the access-group is in "IN" ?