topic Re: Firewall Extended Access-List Question??? in Network Security

Firewall Extended Access-List Question???

Charlie Mayes — Mon, 11 Mar 2019 17:42:56 GMT

Hello Guys,

I am working with extended ACL's with the Cisco ASA. I know that it is true that a person can only put one ACL in each direction on an interface with a Cisco router but, I want to know if that if this is true with a ASA device? It seems like when ever I attach a different ACL on the same interface in the same direction it removes the previous attached access-group from the interface. I hope I do not have to have one access-list applied with all my rules in it. That could be dangerous if I ever have to remove an entry from the access-list and remove the of entire ACL entry by mistake.

Re: Firewall Extended Access-List Question???

matt.walls — Sun, 09 May 2010 12:33:05 GMT

That is exactly how it works. One ACL to each interface. Only exception is that you can apply a second Ethertype ACL (which can permit special protocols, i.e. BPDU, etc.). If you are doing by hand, then probably best to copy original access-list and access-group, and change the acl name, before changing, so you can quickly revert back to previous. that way you would have new and old rule easy to switch with.

Re: Firewall Extended Access-List Question???

Charlie Mayes — Sun, 09 May 2010 13:02:45 GMT

Ok. So then you are saying that. I can have Access-List Extended 101,102 103 ETC but, I can only have one of them apply to the interface and the others would be only used to define interesting (permit/deny) or some other function that does not require the ACL to be applied to the interface. Oh Yeah thanks for the information about changing the name of the ACL then changing the properties of the ACL and then appling the copy. That is soo sweet. Never even thought of it. Soooo Simple.

Re: Firewall Extended Access-List Question???

Jon Marshall — Sun, 09 May 2010 14:57:35 GMT

iketurner931 wrote:
                       Ok. So then you are saying that. I can have Access-List Extended 101,102 103 ETC but, I can only have one of them apply to the interface and the others would be only used to define interesting (permit/deny) or some other function that does not require the ACL to be applied to the interface. Oh Yeah thanks for the information about changing the name of the ACL then changing the properties of the ACL and then appling the copy. That is soo sweet. Never even thought of it. Soooo Simple.

You can apply 2 acls to each ASA interface, one in the inbound direction and one in the outbound direction.

Jon

Re: Firewall Extended Access-List Question???

Charlie Mayes — Sun, 09 May 2010 15:37:44 GMT

Thanks for everything Matt. I just wanted to make sure I was doing

everything right.

Re: Firewall Extended Access-List Question???

Charlie Mayes — Sun, 09 May 2010 15:38:13 GMT

Thanks for everything Jon. I just wanted to make sure I was doing everything right.