Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
553
Views
0
Helpful
2
Replies

ASA ACL Problem

Go to solution
eli_d_iceman
Level 1
Level 1

‎04-06-2011 03:57 AM - edited ‎03-11-2019 01:17 PM

HI,

Question regarding the acl operation of ASA.

Setup using ASA only.

inside interface -  this is where the server is located.

outside interface - this is where the user is located.

Test 1.

Policy - allow the telnet connection from the user to the server (telnet server).

Result - user can telnet to the server.

Test 2.

Policy - deny the telnet connection from the user to the server (telnet server).

Result - the user that already have an establish telnet session to the server stays connected.

            if the user disconnects the telnet session and try to connects again, the user was denied for the telnet connection because of the policy.

I do the same testing using an L3 switch (no ASA) and apply the access group to the SVI inbound.

Setup using L3 switch only.

vlan 2 -  this is where the server is located.

vlan 7 - this is where the user is located.

Test 1.

Policy - allow the telnet connection from the user to the server (telnet server).

Result - user can telnet to the server.

Test 2.

Policy - deny the telnet connection from the user to the server (telnet server).

Result - the user that already have an establish telnet session to the server was disconnected.

           new telnet connection to the server was denied because of the policy.

I would like to ask about the difference in the result between the ASA and the L3 switch.

Do i have to do some config with ASA to achieve the same result as the L3 switch.

Also , if you can provide documentations w/ cisco regarding this.

TIA

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
padatta
Level 1
Level 1

‎04-06-2011 04:27 AM

Hi,

In ASA, ACL changes do not affect existing connections. Existing connections will have an entry in the state 
table. So they are not subjected to ACL checks.

ACL checks are done at the connection creation time, only new connections after the change will be subjected 
to ACL checks.

Switches do not maintain a connection state table and so all packets are subjected to ACL checks.

Check the 'Note' section in this ASA link.

http://www.cisco.com/en/US/partner/docs/security/asa/asa80/configuration/guide/traffic.html#wp1074528

Paps

View solution in original post

0 Helpful
2 Replies 2

Go to solution
padatta
Level 1
Level 1

‎04-06-2011 04:27 AM

Hi,

In ASA, ACL changes do not affect existing connections. Existing connections will have an entry in the state 
table. So they are not subjected to ACL checks.

ACL checks are done at the connection creation time, only new connections after the change will be subjected 
to ACL checks.

Switches do not maintain a connection state table and so all packets are subjected to ACL checks.

Check the 'Note' section in this ASA link.

http://www.cisco.com/en/US/partner/docs/security/asa/asa80/configuration/guide/traffic.html#wp1074528

Paps
0 Helpful

Go to solution
eli_d_iceman
Level 1
Level 1
In response to padatta

‎04-06-2011 05:42 AM

Thanks!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card