Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3201
Views
0
Helpful
4
Replies

Cisco ASA - Difference in permit IP and permit tcp in extended ACL

Go to solution
gryffindor
Level 1
Level 1

‎05-18-2021 10:33 PM

Hi,

 

I am coming from Juniper SRX and is very new to cisco and ASA. We have a new client and they have ASA firewalls. I am trying to understand the meaning and structure of these ACL statements.

 

From what I gathered, structure for ACL statement will be like 

access-list <ACL-NAME> extended permit tcp <source-ip> <destination-ip> eq <ports>

 

Below is a reference ACL statement I found in my ASA. 

access-list Client1 extended permit ip object-group External-Range object Srvr-02

 

External-Range object group contains a few network object hosts (list of IPs of external range) and Srvr-02 is an internal server. This access list is applied inbound on interface connected to client.

 

My question is does this allow all communication between external range (coming from client side) and Srvr-02. And if we had used 'access-list Client1 extended permit tcp' then we could have specified a particular port and allowed communication on that port only.

 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to gryffindor

‎05-19-2021 01:11 AM

Yes, all tcp ports would be permitted. You can modify the access-list as below to define an object-group of services.

 

access-list TEST1 extended permit object-group SERVICES-GROUP object-group NET-SRC object-group NET-DST

If you run show access-list Client2-IN this would expand the contents of the object-group, so you can clearly determine the hosts/networks defined in the group.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Rob Ingram
VIP
VIP

‎05-19-2021 12:02 AM

@gryffindor yes, permit ip from that object group allows all ports/protocols to Srv-02. To restrict traffic you'd specific the protocol "<tcp/udp/icmp>" and port "eq <port>". The access-list is then reference in an access-group, which specifies the interface and the direction (in or out). Usually "in".

0 Helpful

Go to solution
gryffindor
Level 1
Level 1
In response to Rob Ingram

‎05-19-2021 12:45 AM

Hi Rob,

 

Thanks for your reply. Can you please also suggest that in ACL syntax below, ports mentioned will be destination ports. And if we have to some how restrict on basis of source port, can that be done.

access-list <ACL-NAME> extended permit tcp <source-ip> <destination-ip> eq <ports>

 

Also, I just found one more ACL statement on another firewall and that one is of permit tcp but don't have any eq ports mentioned. Does this mean that here all tcp communication is allowed.

 

access-list Client2-IN extended permit tcp object-group CNETS object-group Citrix

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to gryffindor

‎05-19-2021 01:11 AM

Yes, all tcp ports would be permitted. You can modify the access-list as below to define an object-group of services.

 

access-list TEST1 extended permit object-group SERVICES-GROUP object-group NET-SRC object-group NET-DST

If you run show access-list Client2-IN this would expand the contents of the object-group, so you can clearly determine the hosts/networks defined in the group.

0 Helpful

Go to solution
gryffindor
Level 1
Level 1
In response to Rob Ingram

‎05-19-2021 01:16 AM

Hi Rob,

 

Thanks for your reply. I had tried show access-list Client2-IN, but this showed 200 lines of data and I just could not got it. 

But, I've got an understanding on how to apply them. Thanks again for your responses.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card