08-12-2019 05:17 PM - edited 02-21-2020 09:23 AM
Hello, I'm in the process of setting up a replacement ASA right now and I have a question about access lists.
I have an ACL defined like:
access-list outside_access_in extended permit tcp any object host:srv-dmz-l-prj01 eq 1221
And I have a line like this elsewhere in my config:
access-group outside_access_in in interface outside
My questions would be:
I'm very junior with the Cisco ASA, so please dumb down your answers. :
Thanks.
Solved! Go to Solution.
08-12-2019 08:02 PM
Hi @Brendan Wood ,
What is the purpose of the access-group statement here?
With the access-list command you create the lists in global mode.
With the access-group command you apply the ACL on the interfaces.
Would the ACL work on it's own or does it have to be "applied" with the access-group command above?
ACLs are created in the global mode, but they have no effect if they are not applied to any interface.
Should I have a different access-group for each interface? For example, stuff going from public to inside, from public to DMZ, etc.?
An ACL can be applied in several interfaces, if the indications of that ACL are useful in all such cases.
Regards
08-12-2019 05:22 PM
Access-lists are created globally and then applied with the access-group command. They can be applied in or outbound.
08-12-2019 08:02 PM
Hi @Brendan Wood ,
What is the purpose of the access-group statement here?
With the access-list command you create the lists in global mode.
With the access-group command you apply the ACL on the interfaces.
Would the ACL work on it's own or does it have to be "applied" with the access-group command above?
ACLs are created in the global mode, but they have no effect if they are not applied to any interface.
Should I have a different access-group for each interface? For example, stuff going from public to inside, from public to DMZ, etc.?
An ACL can be applied in several interfaces, if the indications of that ACL are useful in all such cases.
Regards
08-12-2019 08:24 PM
Very clear and understood. Thanks!
08-12-2019 10:42 PM
Hi @Brendan Wood ,
Remember to mark the correct answers as solved, because that helps other users with similar questions.
Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide