05-09-2012 06:22 AM - edited 03-11-2019 04:04 PM
I have been told that if an access list is created with the suffix _access_in, that if the preifx is the name of an interface, then that access list is automatically bound to that interface, even if there is no explicit command doing that.
I looking at the config of an ASA 5550.
example:
Interface is Production
access list is called Production_access_in.
Is that access list automatically bound to the Production interface, even though it does not show up in any other commands?
05-09-2012 06:40 AM
Hi Paul,
That's not true, you would need to apply the access-list on the interface as well, here is the command for it:
access-group Production_access_in in interface Production
Only then would the access-list be applied.
Here's the guide:
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/a1.html#wp1558738
May be they configured using ASDM. But still it needs to be specified.
Thanks,
Varun Rao
Security Team,
Cisco TAC
05-09-2012 07:21 AM
Yes Varun, some of the config was done using ADSM, some not.
I am trying to untangle a config that is a number of years old.
It was worked on by multiple people, some who used ADSM, some who used CLI.
My question is at the bottom of the verbage below, but ultimately, if the access list is not included in the access group command, nor is it referenced within one of the nat rules, is that access list used AT ALL within the firreall?
An example: is the access list Primary_Public_access_in used at all?
From what you are saying, it is not.
Here is a list of access lists and interfaces I am dealing with, plus the access groups.
Interfaces:
nameif Primary_Public
nameif LANx
nameif Production
nameif Management
nameif Corp
access list names:
Primary_Public_access_in
Primary_Public_access_in_tmp
no-nat
Production_nat0_inbound
Corp_nat0_outbound
Corp_nat1_outbound
LANx_nat0_outbound
FW_LANx_in
ARIN_Primary_Public_access_in
global (Primary_Public) 1 interface
global (Primary_Public) 2 xxx.132.123.17 netmask 255.255.255.255
global (LANx) 102 interface
nat (LANx) 0 access-list LANx_nat0_outbound
nat (LANx) 2 192.168.3.0 255.255.255.0
nat (LANx) 102 0.0.0.0 0.0.0.0
nat (Production) 0 access-list no-nat
nat (Production) 0 access-list Production_nat0_inbound outside
nat (Production) 1 172.20.0.0 255.255.0.0
nat (Corp) 0 access-list Corp_nat0_outbound
nat (Corp) 1 access-list Corp_nat1_outbound
nat (management) 0 access-list Mgmt_nat0_outbound
nat (management) 1 access-list Mgmt_nat1_outbound
access-group Primary_Public_access_in_tmp in interface Primary_Public
access-group FW_LANx_in in interface LANx
05-09-2012 07:36 AM
You can try this to find all instances of the access-list in your config:
show run | include Primary_Public_access_in
This would tell you where all the access-list has been used.
Thanks,
Varun Rao
Security Team,
Cisco TAC
05-09-2012 08:34 AM
Thanks, I will try to get that output of that command.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide