topic Re: ACL vs. Access List Question in Network Security

ACL vs. Access List Question

Brendan Wood — Fri, 21 Feb 2020 17:23:35 GMT

Hello, I'm in the process of setting up a replacement ASA right now and I have a question about access lists.

I have an ACL defined like:

access-list outside_access_in extended permit tcp any object host:srv-dmz-l-prj01 eq 1221

And I have a line like this elsewhere in my config:

access-group outside_access_in in interface outside

My questions would be:

What is the purpose of the access-group statement here?
Would the ACL work on it's own or does it have to be "applied" with the access-group command above?
Should I have a different access-group for each interface? For example, stuff going from public to inside, from public to DMZ, etc.?

I'm very junior with the Cisco ASA, so please dumb down your answers. :

Thanks.

balaji.bandi — Tue, 13 Aug 2019 00:22:24 GMT

Access-lists are created globally and then applied with the access-group command. They can be applied in or outbound.

luis_cordova — Tue, 13 Aug 2019 03:02:29 GMT

What is the purpose of the access-group statement here?

With the access-list command you create the lists in global mode.
With the access-group command you apply the ACL on the interfaces.

Would the ACL work on it's own or does it have to be "applied" with the access-group command above?

ACLs are created in the global mode, but they have no effect if they are not applied to any interface.

Should I have a different access-group for each interface? For example, stuff going from public to inside, from public to DMZ, etc.?

An ACL can be applied in several interfaces, if the indications of that ACL are useful in all such cases.

Regards

Brendan Wood — Tue, 13 Aug 2019 03:24:27 GMT

Very clear and understood. Thanks!

luis_cordova — Tue, 13 Aug 2019 05:42:22 GMT

Remember to mark the correct answers as solved, because that helps other users with similar questions.

Regards