Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2043
Views
0
Helpful
4
Replies

ASA Access-group

Go to solution
noobieee7
Level 1
Level 1

‎01-20-2010 08:19 AM - edited ‎03-11-2019 09:59 AM

Hi All,

For ASA, is there any standard or a need of having a in and out access-group for each inside or outside interface, or is it base on situation and requirement?

Regards,

Lawrence

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎01-20-2010 08:54 AM 

noobieee7 wrote:
Hi All,
For ASA, is there any standard or a need of having a in and out access-group for each inside or outside interface, or is it base on situation and requirement?
Regards,
Lawrence

Lawrence

It is based purely on situation and requirement. Inbound access-lists are by far the most commonly used but i have had situations in the past where an outbound acl has been very useful.

Jon

View solution in original post

0 Helpful

Go to solution
Kureli Sankar
Cisco Employee
Cisco Employee

‎01-20-2010 08:55 AM

Mostly people only apply acl "IN" on an interface.  We have seen cases where people apply acl IN and OUT on the same interface by mistake.

In some cases there as been a requirement. Like for example you have inside, dmz and outside.  You manage inside and outside interface acl but another team manages the dmz acl.  They allow everything on their interface but, you want to control what leaves the outside interface so, you can apply an acl OUT on the outside interface.

So, it depeds on the requirement.

-KS

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎01-20-2010 08:54 AM 

noobieee7 wrote:
Hi All,
For ASA, is there any standard or a need of having a in and out access-group for each inside or outside interface, or is it base on situation and requirement?
Regards,
Lawrence

Lawrence

It is based purely on situation and requirement. Inbound access-lists are by far the most commonly used but i have had situations in the past where an outbound acl has been very useful.

Jon

0 Helpful

Go to solution
Kureli Sankar
Cisco Employee
Cisco Employee

‎01-20-2010 08:55 AM

Mostly people only apply acl "IN" on an interface.  We have seen cases where people apply acl IN and OUT on the same interface by mistake.

In some cases there as been a requirement. Like for example you have inside, dmz and outside.  You manage inside and outside interface acl but another team manages the dmz acl.  They allow everything on their interface but, you want to control what leaves the outside interface so, you can apply an acl OUT on the outside interface.

So, it depeds on the requirement.

-KS

0 Helpful

Go to solution
vilaxmi
Cisco Employee
Cisco Employee

‎01-20-2010 09:52 PM

Hello,

I would agree with above replies. Just to add, I would like to mention that on an interface you can apply one ACL per direction. Also please keep in mind mMore the number of ACLs more the packet processing done at each ifc in ASA.

Thanks

Vijaya

0 Helpful

Go to solution
Ganesh Hariharan
VIP Alumni
VIP Alumni

‎01-21-2010 02:40 AM 

Hi All,
For
ASA, is there any standard or a need of having a in and out
access-group for each inside or outside interface, or is it base on
situation and requirement?
Regards,
Lawrence

Hi Lawrence,

Genrally it depends on the situation as good practices we used to do inbound acl with traffic flow coming inside to device in in direction.

HTH

Regards

Ganesh.H

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card