ACL applied on in|out of a port on an ASA

Jason Jackal · ‎03-29-2012

Folks:

I am new to working on ASAs; however, is it possible to apply an ACL to an interface and specify "in|out" command switch? If this is possible, can an example be supplied?

I am trying to limit traffic from my DMZ to my Internal network; however, the previous security engineer configured the method of communciation between DMZ and Internal network via NAT rules, so no routing protocol and static route entry is currently present. Due to the latter I am not able to block traffic travelling from the DMZ to the INternal network.

Jouni Forss · ‎03-29-2012

Hi,

I'm not sure if I understood your question right.

Did you want to change the direction of the ACL is applied between "in" and "out"

Or did you just want to apply an access-list to some interface that still doesnt have one?

Heres a very simple example from my home ASA

access-list LAN-IN extended permit ip 10.0.0.0 255.255.255.0 any

access-list WAN-IN extended deny ip any any log

access-group LAN-IN in interface LAN

access-group WAN-IN in interface WAN

I have always configured the ACLs to be applied to inbound direction on an interface

If I assing the command "access-group WAN-IN out interface WAN" basicly switching the direction parameters the ASA just creates also a rule "out" of the interface and leaves the old "in" direction list too

ASA(config)# sh run access-group

access-group LAN-IN in interface LAN

access-group WAN-IN in interface WAN

access-group WAN-IN out interface WAN

Though as I said I'm not sure I understood you correctly.

- Jouni