Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
369
Views
0
Helpful
1
Replies

ACL applied on in|out of a port on an ASA

Jason Jackal
Level 1
Level 1

‎03-29-2012 06:04 AM - edited ‎03-11-2019 03:48 PM

Folks:

I am new to working on ASAs; however, is it possible to apply an ACL to an interface and specify "in|out" command switch? If this is possible, can an example be supplied?

I am trying to limit traffic from my DMZ to my Internal network; however, the previous security engineer configured the method of communciation between DMZ and Internal network via NAT rules, so no routing protocol and static route entry is currently present. Due to the latter I am not able to block traffic travelling from the DMZ to the INternal network.

Labels:
0 Helpful
1 Reply 1

Jouni Forss
VIP Alumni
VIP Alumni

‎03-29-2012 07:26 AM

Hi,

I'm not sure if I understood your question right.

Did you want to change the direction of the ACL is applied between "in" and "out"

Or did you just want to apply an access-list to some interface that still doesnt have one?

Heres a very simple example from my home ASA

access-list LAN-IN extended permit ip 10.0.0.0 255.255.255.0 any

access-list WAN-IN extended deny ip any any log

access-group LAN-IN in interface LAN

access-group WAN-IN in interface WAN

I have always configured the ACLs to be applied to inbound direction on an interface

If I assing the command "access-group WAN-IN out interface WAN" basicly switching the direction parameters the ASA just creates also a rule "out" of the interface and leaves the old "in" direction list too

ASA(config)# sh run access-group

access-group LAN-IN in interface LAN

access-group WAN-IN in interface WAN

access-group WAN-IN out interface WAN

Though as I said I'm not sure I understood you correctly.

- Jouni

0 Helpful
Review Cisco Networking for a $25 gift card
Top