cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
426
Views
0
Helpful
3
Replies

Choosing Interface of ASA for ACL

mahesh18
Level 6
Level 6

Hi Everyone,

Say user is connected to ASA interface X and he need to reach a server which has connection via Z interface of  ASA.

We need to open port say 22 and 1123 should we config  the ACL on interface X?

Thanks

Mahesh

2 Accepted Solutions

Accepted Solutions

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

In general you should probably configure ACL on every interface of the ASA. And the ACL should usually be attached in the direction "in" since you want to control connections that are coming from behind that interface.

You should use the ACL attached to the interface behind which the hosts are located to control their traffic towards other networks.

In other words you should have an ACL on the interface X which controls where the user can connect to and what services he can use. So if the traffic is blocked you should use this ACL to allow connections to the server behind interface Z on the ports 22 and 1123.

- Jouni

View solution in original post

gcorrale
Level 1
Level 1

Hello Mahesh,

That depends, remember that the ASA also have different security levels on the interfaces, all traffic from a higher to a lower security level is permitted and is denied the way around (from lower to higher).

If the X interface is the lower security-level you will need to add the ACL on this interface to allow the traffic to pass through.

For example:

Nameif X security-level 0

Nameif Z security-level 100

access-list test permit ip host x.x.x.x host z.z.z.z

access-group test in interface X

Here is a link that could also help.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807fc191.shtml

Thank you

Godfrey Corrales

Security Engineer.

View solution in original post

3 Replies 3

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

In general you should probably configure ACL on every interface of the ASA. And the ACL should usually be attached in the direction "in" since you want to control connections that are coming from behind that interface.

You should use the ACL attached to the interface behind which the hosts are located to control their traffic towards other networks.

In other words you should have an ACL on the interface X which controls where the user can connect to and what services he can use. So if the traffic is blocked you should use this ACL to allow connections to the server behind interface Z on the ports 22 and 1123.

- Jouni

gcorrale
Level 1
Level 1

Hello Mahesh,

That depends, remember that the ASA also have different security levels on the interfaces, all traffic from a higher to a lower security level is permitted and is denied the way around (from lower to higher).

If the X interface is the lower security-level you will need to add the ACL on this interface to allow the traffic to pass through.

For example:

Nameif X security-level 0

Nameif Z security-level 100

access-list test permit ip host x.x.x.x host z.z.z.z

access-group test in interface X

Here is a link that could also help.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807fc191.shtml

Thank you

Godfrey Corrales

Security Engineer.

Hi Jouni & Godfrey,

I have applied ACL  to interface X.

also i found that  interface x is at lower security level as compare to Y.

ACL is applied to interface X  in inward direction.

You guys are great.

Best regards

Mahesh

Review Cisco Networking for a $25 gift card