Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1442
Views
10
Helpful
4
Replies

ACL vs. Access List Question

Go to solution
Brendan Wood
Level 1
Level 1

‎08-12-2019 05:17 PM - edited ‎02-21-2020 09:23 AM

Hello,  I'm in the process of setting up a replacement ASA right now and I have a question about access lists.

I have an ACL defined like: 

access-list outside_access_in extended permit tcp any object host:srv-dmz-l-prj01 eq 1221

And I have a line like this elsewhere in my config:

access-group outside_access_in in interface outside

My questions would be:

  1. What is the purpose of the access-group statement here?
  2. Would the ACL work on it's own or does it have to be "applied" with the access-group command above?
  3. Should I have a different access-group for each interface?  For example, stuff going from public to inside, from public to DMZ, etc.?

I'm very junior with the Cisco ASA, so please dumb down your answers.  :

Thanks.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
luis_cordova
VIP Alumni
VIP Alumni

‎08-12-2019 08:02 PM

Hi @Brendan Wood ,

 

What is the purpose of the access-group statement here?

With the access-list command you create the lists in global mode.
With the access-group command you apply the ACL on the interfaces.

 

Would the ACL work on it's own or does it have to be "applied" with the access-group command above?

ACLs are created in the global mode, but they have no effect if they are not applied to any interface.

 

Should I have a different access-group for each interface?  For example, stuff going from public to inside, from public to DMZ, etc.?

An ACL can be applied in several interfaces, if the indications of that ACL are useful in all such cases.

 

Regards

View solution in original post

4 Replies 4

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎08-12-2019 05:22 PM

Access-lists are created globally and then applied with the access-group command. They can be applied in  or outbound.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
luis_cordova
VIP Alumni
VIP Alumni

‎08-12-2019 08:02 PM

Hi @Brendan Wood ,

 

What is the purpose of the access-group statement here?

With the access-list command you create the lists in global mode.
With the access-group command you apply the ACL on the interfaces.

 

Would the ACL work on it's own or does it have to be "applied" with the access-group command above?

ACLs are created in the global mode, but they have no effect if they are not applied to any interface.

 

Should I have a different access-group for each interface?  For example, stuff going from public to inside, from public to DMZ, etc.?

An ACL can be applied in several interfaces, if the indications of that ACL are useful in all such cases.

 

Regards

Go to solution
Brendan Wood
Level 1
Level 1
In response to luis_cordova

‎08-12-2019 08:24 PM

Very clear and understood.  Thanks!

0 Helpful

Go to solution
luis_cordova
VIP Alumni
VIP Alumni
In response to Brendan Wood

‎08-12-2019 10:42 PM

Hi @Brendan Wood ,

 

Remember to mark the correct answers as solved, because that helps other users with similar questions.

 

Regards

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card