Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
405
Views
0
Helpful
3
Replies

Choosing Interface of ASA for ACL

Go to solution
mahesh18
Level 6
Level 6

‎04-30-2013 01:25 PM - edited ‎03-11-2019 06:36 PM

Hi Everyone,

Say user is connected to ASA interface X and he need to reach a server which has connection via Z interface of  ASA.

We need to open port say 22 and 1123 should we config  the ACL on interface X?

Thanks

Mahesh

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎04-30-2013 02:09 PM

Hi,

In general you should probably configure ACL on every interface of the ASA. And the ACL should usually be attached in the direction "in" since you want to control connections that are coming from behind that interface.

You should use the ACL attached to the interface behind which the hosts are located to control their traffic towards other networks.

In other words you should have an ACL on the interface X which controls where the user can connect to and what services he can use. So if the traffic is blocked you should use this ACL to allow connections to the server behind interface Z on the ports 22 and 1123.

- Jouni

View solution in original post

0 Helpful

Go to solution
gcorrale
Level 1
Level 1

‎04-30-2013 02:12 PM

Hello Mahesh,

That depends, remember that the ASA also have different security levels on the interfaces, all traffic from a higher to a lower security level is permitted and is denied the way around (from lower to higher).

If the X interface is the lower security-level you will need to add the ACL on this interface to allow the traffic to pass through.

For example:

Nameif X security-level 0

Nameif Z security-level 100

access-list test permit ip host x.x.x.x host z.z.z.z

access-group test in interface X

Here is a link that could also help.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807fc191.shtml

Thank you

Godfrey Corrales

Security Engineer.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎04-30-2013 02:09 PM

Hi,

In general you should probably configure ACL on every interface of the ASA. And the ACL should usually be attached in the direction "in" since you want to control connections that are coming from behind that interface.

You should use the ACL attached to the interface behind which the hosts are located to control their traffic towards other networks.

In other words you should have an ACL on the interface X which controls where the user can connect to and what services he can use. So if the traffic is blocked you should use this ACL to allow connections to the server behind interface Z on the ports 22 and 1123.

- Jouni

0 Helpful

Go to solution
gcorrale
Level 1
Level 1

‎04-30-2013 02:12 PM

Hello Mahesh,

That depends, remember that the ASA also have different security levels on the interfaces, all traffic from a higher to a lower security level is permitted and is denied the way around (from lower to higher).

If the X interface is the lower security-level you will need to add the ACL on this interface to allow the traffic to pass through.

For example:

Nameif X security-level 0

Nameif Z security-level 100

access-list test permit ip host x.x.x.x host z.z.z.z

access-group test in interface X

Here is a link that could also help.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807fc191.shtml

Thank you

Godfrey Corrales

Security Engineer.

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to gcorrale

‎04-30-2013 03:05 PM

Hi Jouni & Godfrey,

I have applied ACL  to interface X.

also i found that  interface x is at lower security level as compare to Y.

ACL is applied to interface X  in inward direction.

You guys are great.

Best regards

Mahesh

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card