ā06-03-2018 03:18 PM - edited ā02-21-2020 07:50 AM
ASA CLI Book says: "You can configure one access-group command per ACL type per interface per direction."
Does this mean one command per interface, or one command per direction?
Can we add two rules on outside interface? Sg like this:
access-list OUTSIDE_IN permit tcp any host 209.165.201.3 eq 80
access-group OUTSIDE_IN in interface outside
access-list INSIDE_OUT permit ip any any
access-group INSIDE_OUT out interface outside
Solved! Go to Solution.
ā06-03-2018 05:34 PM - edited ā06-03-2018 05:35 PM
you could do it the way you described, but typically you wouldnt find that way of configuring.
so for instance, if you are internal and want to go to the internet, using the outside interface of your FW. you would stick an ACL . access-group in on your inside interface to restrict traffic to the internet this way you dont need to define an access-group out on your outside, because you have already restricted traffic on your inside interface.
typically on a FW you have an access group in on: DMZ if. inside if and outside if, so 3 in total
ā06-03-2018 05:34 PM - edited ā06-03-2018 05:35 PM
you could do it the way you described, but typically you wouldnt find that way of configuring.
so for instance, if you are internal and want to go to the internet, using the outside interface of your FW. you would stick an ACL . access-group in on your inside interface to restrict traffic to the internet this way you dont need to define an access-group out on your outside, because you have already restricted traffic on your inside interface.
typically on a FW you have an access group in on: DMZ if. inside if and outside if, so 3 in total
ā06-05-2018 02:55 PM - edited ā06-05-2018 02:57 PM
Got it thanks. There's a couple of inside networks and all have some services permitted in common to go outside. So I thought its easier (makes more sense) to put that on outside out once than to put it on every network and deny each other networks from reaching to all other networks on these services. Thats the idea behind it. I didint go to this detail with the example, sorry.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide