topic Re: ASA access group in and out on same interface in Network Security

ASA access group in and out on same interface

venger — Fri, 21 Feb 2020 15:50:41 GMT

ASA CLI Book says: "You can configure one access-group command per ACL type per interface per direction."

Does this mean one command per interface, or one command per direction?

Can we add two rules on outside interface? Sg like this:

access-list OUTSIDE_IN permit tcp any host 209.165.201.3 eq 80

access-group OUTSIDE_IN in interface outside

access-list INSIDE_OUT permit ip any any

access-group INSIDE_OUT out interface outside

Re: ASA access group in and out on same interface

Dennis Mink — Mon, 04 Jun 2018 00:35:01 GMT

you could do it the way you described, but typically you wouldnt find that way of configuring.

so for instance, if you are internal and want to go to the internet, using the outside interface of your FW. you would stick an ACL . access-group in on your inside interface to restrict traffic to the internet this way you dont need to define an access-group out on your outside, because you have already restricted traffic on your inside interface.

typically on a FW you have an access group in on: DMZ if. inside if and outside if, so 3 in total

Re: ASA access group in and out on same interface

venger — Tue, 05 Jun 2018 21:57:47 GMT

Got it thanks. There's a couple of inside networks and all have some services permitted in common to go outside. So I thought its easier (makes more sense) to put that on outside out once than to put it on every network and deny each other networks from reaching to all other networks on these services. Thats the idea behind it. I didint go to this detail with the example, sorry.