Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1065
Views
0
Helpful
1
Replies

ASA ACL question

Go to solution
leowls
Level 1
Level 1

‎03-11-2019 05:58 AM - edited ‎02-21-2020 08:55 AM

With reference to this:

 

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115904-asa-config-dmz-00.html

 

The acl configured at the end for dmz, why is it being placed inbound rather than outbound in the dmz interface? Shouldn't it be outbound because the traffic is leaving the dmz into the inside interface to access the dns?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎03-11-2019 06:39 AM

Hi,

The majority of the time an ACL will be applied INbound as packets would originate inbound on the DMZ interface. If you use an outbound ACL then the packets arrive inbound on the DMZ interface, processed for NAT, inspection etc only to be dropped after the ASA has spent more resources processing it.

 

FYI, an example usage of an OUTbound ACL here.

 

HTH

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Rob Ingram
VIP
VIP

‎03-11-2019 06:39 AM

Hi,

The majority of the time an ACL will be applied INbound as packets would originate inbound on the DMZ interface. If you use an outbound ACL then the packets arrive inbound on the DMZ interface, processed for NAT, inspection etc only to be dropped after the ASA has spent more resources processing it.

 

FYI, an example usage of an OUTbound ACL here.

 

HTH

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card