Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1307
Views
0
Helpful
3
Replies

Accesss-group in ASA 9.x

Go to solution
tech_gubby
Level 1
Level 1

‎06-11-2019 07:07 AM

Hi All,

 

I am learning Cisco ASA. I have queastion in applying ACL. 

 

1.access-group <access-list name> in interface <interface name>

2.access-group <access-list name> out interface <interface name>

In the above syntax, I know where i have to use the first command which will configure ACL in " in" interface. But, Could some one explain me, In what kind of situatuion we have to use the second command which will configure ACL in "out" interface. 
And please explain me, what will happen if I use second command?. Thank you 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni

‎06-11-2019 07:20 AM

Hi there,

An access-group applied in the 'out' direction effects traffic which is leaving an interface towards its destination.

Typically you want to the position your ACLs as close to the source as possible, so they are normally implemented INbound on interfaces. 

However depending on your topology you may have traffic arriving from multiple sources arriving on different interfaces where it is easier to create and apply a single ACL in the OUTbound direction as it is routed towards its destination.

 

cheers,

Seb.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni

‎06-11-2019 07:20 AM

Hi there,

An access-group applied in the 'out' direction effects traffic which is leaving an interface towards its destination.

Typically you want to the position your ACLs as close to the source as possible, so they are normally implemented INbound on interfaces. 

However depending on your topology you may have traffic arriving from multiple sources arriving on different interfaces where it is easier to create and apply a single ACL in the OUTbound direction as it is routed towards its destination.

 

cheers,

Seb.

0 Helpful

Go to solution
tech_gubby
Level 1
Level 1
In response to Seb Rupik

‎06-12-2019 05:35 AM

Thank you very much for the reply Seb. Can you please share any topology where we can use "outbound" acl?

0 Helpful

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni
In response to tech_gubby

‎06-12-2019 06:30 AM

It can be used in a any topology, for me it boils down to administrative preference.

 

If I have 20 subnets trying to access the a 'server' VLAN, instead of having to edit 20 INbound ACLs on those interfaces, I can instead create a single ACL which will cover the required policy and place it OUTbound on the server VLAN interface.

 

Lessening the administrative overhead must be weighed against the mantra of "placing ACLs as close to the source as possible".

 

cheers,

Seb.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card