- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-17-2016 01:46 AM - edited 03-12-2019 12:45 AM
Hello there,
I have
The inside interface and IP is 192.168.1.1/24 and outside interface is x.x.x.x.
I had opened certain ports like 1234,4567,8900 and so on.
Today
"
Do we need to specify only one access-group rule for all the ports in the same interface?
Should the access-group for opening ports like 1234,4567 and so on should have the same access-group name?
Please help.
Thank you in
Solved! Go to Solution.
- Labels:
-
NGFW Firewalls
Accepted Solutions

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-17-2016 05:21 AM
Hi Diwakar,
Only one access-group can be applied on
So if you need to modify any ACL rules you need to do on the same access-list which in turn would be
In your case only the access-group would have been removed, the access-list would be still on the ASA.
Regards,
Aditya
Please rate helpful posts and mark correct answers.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-19-2016 01:06 AM
This can either be through command line or can be done through ASDM, though ASDM will be much easier. The best way to do it is by creating objects i-e SERVER1 IP 192.168.1.50, then in the access policies create a new rule and use these objects instead of IP addresses (just a neater way of doing it) and open the required posts.
There is only a single access-group applied on every firewall interface i-e inside_access_in on the inside interface (this is by default) outside_access_in on the outside interface.
If you want to manually add an entry in the list then first check what is the name of access list applied on the interface, if its outside_access_in then just add another entry:
Example:
access-list outside_access_in extended permit icmp any any echo-reply
I hope the above helps.
Regards,
Ahmed

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-17-2016 05:21 AM
Hi Diwakar,
Only one access-group can be applied on
So if you need to modify any ACL rules you need to do on the same access-list which in turn would be
In your case only the access-group would have been removed, the access-list would be still on the ASA.
Regards,
Aditya
Please rate helpful posts and mark correct answers.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-17-2016 06:50 AM
You can revert your changes by reapplying the previous access list:
'access-group outside_access_in in interface outside' just make sure that your previous access list name was 'outside_access_in'. Once it is applied then you can add in the same access list for port 7000.
Regards,
Ahmed
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-18-2016 08:01 PM
Thank you Aditya and Ahmed for your input. I am pretty much sure what you mean
What if

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-18-2016 08:23 PM
Hi Diwakar,
The name of the access-list will always be the same.
Regards,
Aditya
Please rate helpful posts and mark correct answers.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-19-2016 01:06 AM
This can either be through command line or can be done through ASDM, though ASDM will be much easier. The best way to do it is by creating objects i-e SERVER1 IP 192.168.1.50, then in the access policies create a new rule and use these objects instead of IP addresses (just a neater way of doing it) and open the required posts.
There is only a single access-group applied on every firewall interface i-e inside_access_in on the inside interface (this is by default) outside_access_in on the outside interface.
If you want to manually add an entry in the list then first check what is the name of access list applied on the interface, if its outside_access_in then just add another entry:
Example:
access-list outside_access_in extended permit icmp any any echo-reply
I hope the above helps.
Regards,
Ahmed
