Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7617
Views
10
Helpful
2
Replies

ASA access group in and out on same interface

Go to solution
venger
Level 1
Level 1

‎06-03-2018 03:18 PM - edited ‎02-21-2020 07:50 AM

ASA CLI Book says: "You can configure one access-group command per ACL type per interface per direction."

Does this mean one command per interface, or one command per direction?

Can we add two rules on outside interface? Sg like this:

access-list OUTSIDE_IN permit tcp any host 209.165.201.3 eq 80

access-group OUTSIDE_IN in interface outside

access-list INSIDE_OUT permit ip any any

access-group INSIDE_OUT out interface outside

 

 

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
Dennis Mink
VIP Alumni
VIP Alumni

‎06-03-2018 05:34 PM - edited ‎06-03-2018 05:35 PM

you could do it the way you described, but typically you wouldnt find that way of configuring.

 

so for instance, if you are internal and want to go to the internet, using the outside interface of your FW. you would stick an ACL . access-group in on your inside interface to restrict traffic to the internet this way you dont need to define an access-group out on your outside, because you have already restricted traffic on your inside interface.

 

typically on a FW you have an access group in on: DMZ if. inside if and outside if, so 3 in total

Please remember to rate useful posts, by clicking on the stars below.

View solution in original post

2 Replies 2

Go to solution
Dennis Mink
VIP Alumni
VIP Alumni

‎06-03-2018 05:34 PM - edited ‎06-03-2018 05:35 PM

you could do it the way you described, but typically you wouldnt find that way of configuring.

 

so for instance, if you are internal and want to go to the internet, using the outside interface of your FW. you would stick an ACL . access-group in on your inside interface to restrict traffic to the internet this way you dont need to define an access-group out on your outside, because you have already restricted traffic on your inside interface.

 

typically on a FW you have an access group in on: DMZ if. inside if and outside if, so 3 in total

Please remember to rate useful posts, by clicking on the stars below.

Go to solution
venger
Level 1
Level 1
In response to Dennis Mink

‎06-05-2018 02:55 PM - edited ‎06-05-2018 02:57 PM

Got it thanks. There's a couple of inside networks and all have some services permitted in common to go outside. So I thought its easier (makes more sense) to put that on outside out once than to put it on every network and deny each other networks from reaching to all other networks on these services. Thats the idea behind it. I didint go to this detail with the example, sorry.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card