Solved: I forgot to mention that

Jon Moots · ‎03-04-2015

I am new to the ASA and am trying to figure something out with ACL's. I understand about creating them and adding in entries and that they all must have the same name, but I am confused about ACL's that do not have the same name that already exist on a device or may need to be named differently.

For example:

Access-List Corporate1 permit tcp any any eq www

Access-List Corporate1 permit tcp any any eq https

Access List Inside_Out permit ip any any

Access-Group Coprorate1 in interface outside

Ignoring the content for the moment, I have 2 ACL's: One with 2 entries and One with a single entry. The ACL Corporate1 is applied to the inside interface and is active. I get that part..... My question is: Is the ACL Inside_Out grouped in automatically with the active ACL and active as well or is it safe to say it is not active and can be removed without causing harm? Is the active ACL only the ACL with the same name as the Access-Group Corporate1?

I have 2 different people telling me two different things. I'm lost on this one, any help would be greatly appreciated.

-Jon

Karsten Iwen · ‎03-04-2015

Working with ACLs always involve two steps:

You configure the ACL (with possibly multiple lines but the same name).
You assign the ACL to a function. That could be filtering on an interface with the access-group-command, but is not limited to that as ACLs are used in multiple places when the ASA needs to match traffic.

If you did both 1) and 2), then the ACL is active and in use. If you only configured the ACL but the ACL was never assigned to a function, then the ACL is not active and can be removed.

In your example:

If you see that there is the ACL "Inside_Out" but you don't know if the ACL is used, then do a

sh run | inc Inside_Out

If the output only shows the ACL-lines, then it's unused and can be removed.

clear configure access-list Inside_Out

Or it's unused but should be used, then apply the ACL to the function you want.

View solution in original post

Karsten Iwen · ‎03-04-2015

Working with ACLs always involve two steps:

You configure the ACL (with possibly multiple lines but the same name).
You assign the ACL to a function. That could be filtering on an interface with the access-group-command, but is not limited to that as ACLs are used in multiple places when the ASA needs to match traffic.

If you did both 1) and 2), then the ACL is active and in use. If you only configured the ACL but the ACL was never assigned to a function, then the ACL is not active and can be removed.

In your example:

If you see that there is the ACL "Inside_Out" but you don't know if the ACL is used, then do a

sh run | inc Inside_Out

If the output only shows the ACL-lines, then it's unused and can be removed.

clear configure access-list Inside_Out

Or it's unused but should be used, then apply the ACL to the function you want.

Jon Moots · ‎03-04-2015

Thank you Karsten. That is what I was thinking but did not know for sure to argue the point against the other two.

In the example I gave above, the production ASA is as shown just more ACE's in the list and a different name, the only ACL in running status was the Corporate1, the Inside_Out was only listed in the ACL list when I did a show. It was not assigned to a active interface or in a access-group command line.

What I think what happened is that whomever worked on the PIX before me, made changes in the ACL's as the company changed and created a new one each time to ensure it would work before removing the old and never removed them when it was tested.

Thanks again!!

Karsten Iwen · ‎03-04-2015

I forgot to mention that there are situations where you can have unassigned ACLs that are needed:

If you have a central AAA-Server (RADIUS-Server), this server could be used as an authorization-system that tells the ASA that a specific ACLs on the ASA should be used for a specific user.

With that, it would not be automatically correct to assume that an ACL that is not assigned to a function can be removed.

ASA ACL question