cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


241
Views
0
Helpful
3
Replies
Highlighted
Beginner

Accesss-group in ASA 9.x

Hi All,

 

I am learning Cisco ASA. I have queastion in applying ACL. 

 

1.access-group <access-list name> in interface <interface name>

2.access-group <access-list name> out interface <interface name>

In the above syntax, I know where i have to use the first command which will configure ACL in " in" interface. But, Could some one explain me, In what kind of situatuion we have to use the second command which will configure ACL in "out" interface. 
And please explain me, what will happen if I use second command?. Thank you 

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Advisor

Re: Accesss-group in ASA 9.x

Hi there,

An access-group applied in the 'out' direction effects traffic which is leaving an interface towards its destination.

Typically you want to the position your ACLs as close to the source as possible, so they are normally implemented INbound on interfaces. 

However depending on your topology you may have traffic arriving from multiple sources arriving on different interfaces where it is easier to create and apply a single ACL in the OUTbound direction as it is routed towards its destination.

 

cheers,

Seb.

3 REPLIES 3
VIP Advisor

Re: Accesss-group in ASA 9.x

Hi there,

An access-group applied in the 'out' direction effects traffic which is leaving an interface towards its destination.

Typically you want to the position your ACLs as close to the source as possible, so they are normally implemented INbound on interfaces. 

However depending on your topology you may have traffic arriving from multiple sources arriving on different interfaces where it is easier to create and apply a single ACL in the OUTbound direction as it is routed towards its destination.

 

cheers,

Seb.

Beginner

Re: Accesss-group in ASA 9.x

Thank you very much for the reply Seb. Can you please share any topology where we can use "outbound" acl?

VIP Advisor

Re: Accesss-group in ASA 9.x

It can be used in a any topology, for me it boils down to administrative preference.

 

If I have 20 subnets trying to access the a 'server' VLAN, instead of having to edit 20 INbound ACLs on those interfaces, I can instead create a single ACL which will cover the required policy and place it OUTbound on the server VLAN interface.

 

Lessening the administrative overhead must be weighed against the mantra of "placing ACLs as close to the source as possible".

 

cheers,

Seb.