Solved: ACLs and service policies

Colin Higgins · ‎12-29-2014

If I have created a MPF service-policy to allow access to certain websites based on REGEX url matchings, and I apply this policy to an ASA interface, what happens if there is an ACL on that same interface and blocks or allows access to certain sites?

Which is processed first? The service policy or the ACL?

What if the ACL blocks bu the service-policy allows?

Vibhor Amrodia · ‎12-30-2014

Hi,

Yes , in that case the traffic will be denied after the ASA device inspects the HTTP header.

Thanks and Regards,

Vibhor Amrodia

View solution in original post

Vibhor Amrodia · ‎12-30-2014

Hi,

ACL is always processes first. The traffic being allowed the by the ACL will only be matched on the service policy.

Refer:-

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113396-asa-packet-flow-00.html

Thanks and Regards,

Vibhor Amrodia

Colin Higgins · ‎12-30-2014

Vibhor:

so if a a packet comes in destined for a website address at port 80 and is allowed by the ACL, but the service-policy has a REGEX expression (whitelist/blacklist) that denies access access to that same website, will the connection be terminated?

Vibhor Amrodia · ‎12-30-2014

Hi,

Yes , in that case the traffic will be denied after the ASA device inspects the HTTP header.

Thanks and Regards,

Vibhor Amrodia