Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6325
Views
5
Helpful
5
Replies

Confusion related to access-list and access-group

Go to solution
diwakar410
Level 1
Level 1

‎05-17-2016 01:46 AM - edited ‎03-12-2019 12:45 AM

Hello there,

I have cisco ASA 5515-x version 9.2.2 and ASDM version 7.2.

The inside interface and IP is 192.168.1.1/24 and outside interface is x.x.x.x.

I had opened  certain ports like 1234,4567,8900 and so on. 

Today i needed to open 7000 port and i created NAT rule and access-list as well. Then i created the access-group with command:

"access-group port-forward in interface outside " and all of a sudden i found all other access-list rules are gone and only existing rule for 7000 exists.

Do we need to specify only one access-group rule for all the ports in the same interface?
Should the access-group for opening ports like 1234,4567 and so on should have the same access-group name?

Please help.

Thank you in advnace.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Aditya Ganjoo
Cisco Employee
Cisco Employee

‎05-17-2016 05:21 AM

Hi Diwakar,

Yes you are correct.

Only one access-group can be applied on interface in one direction.

So if you need to modify any ACL rules you need to do on the same access-list which in turn would be binded to the access-group on the interface.

In your case only the access-group would have been removed, the access-list would be still on the ASA.

Regards,

Aditya

Please rate helpful posts and mark correct answers.

View solution in original post

0 Helpful

Go to solution
ahmed-ejaz
Level 1
Level 1
In response to diwakar410

‎05-19-2016 01:06 AM

This can either be through command line or can be done through ASDM, though ASDM will be much easier. The best way to do it is by creating objects i-e SERVER1 IP 192.168.1.50, then in the access policies create a new rule and use these objects instead of IP addresses (just a neater way of doing it) and open the required posts.

There is only a single access-group applied on every firewall interface i-e inside_access_in on the inside interface (this is by default) outside_access_in on the outside interface.

If you want to manually add an entry in the list then first check what is the name of access list applied on the interface, if its outside_access_in then just add another entry:

Example:

access-list outside_access_in extended permit icmp any any echo-reply

I hope the above helps.

Regards,

Ahmed

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Aditya Ganjoo
Cisco Employee
Cisco Employee

‎05-17-2016 05:21 AM

Hi Diwakar,

Yes you are correct.

Only one access-group can be applied on interface in one direction.

So if you need to modify any ACL rules you need to do on the same access-list which in turn would be binded to the access-group on the interface.

In your case only the access-group would have been removed, the access-list would be still on the ASA.

Regards,

Aditya

Please rate helpful posts and mark correct answers.

0 Helpful

Go to solution
ahmed-ejaz
Level 1
Level 1
In response to Aditya Ganjoo

‎05-17-2016 06:50 AM

You can revert your changes by reapplying the previous access list:

'access-group outside_access_in in interface outside' just make sure that your previous access list name was 'outside_access_in'. Once it is applied then you can add in the same access list for port 7000.

Regards,

Ahmed

Go to solution
diwakar410
Level 1
Level 1
In response to ahmed-ejaz

‎05-18-2016 08:01 PM

Thank you Aditya and Ahmed for your input. I am pretty much sure what you mean now but let me just clear the air more.

i need to open ports 1234, 4567, 7890 and so on. so what will be the command line:
access-list any-name extended permit tcp any hostname 192.168.1.50 eq 1234
access-list any-name extended permit tcp any hostname 192.168.1.51 eq 4567
access-list any-name extended permit tcp any hostname 192.168.1.52 eq 7890

access-group any-name in interface outside

should this be the command line line or i can change the name of access-list in every steps?
What if i have to open new ports 9012, should the access group name be same? What about the access-list, should the name be same for every access-rule we make?

0 Helpful

Go to solution
Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to diwakar410

‎05-18-2016 08:23 PM

Hi Diwakar,

The name of the access-list will always be the same.

Regards,

Aditya

Please rate helpful posts and mark correct answers.

0 Helpful

Go to solution
ahmed-ejaz
Level 1
Level 1
In response to diwakar410

‎05-19-2016 01:06 AM

This can either be through command line or can be done through ASDM, though ASDM will be much easier. The best way to do it is by creating objects i-e SERVER1 IP 192.168.1.50, then in the access policies create a new rule and use these objects instead of IP addresses (just a neater way of doing it) and open the required posts.

There is only a single access-group applied on every firewall interface i-e inside_access_in on the inside interface (this is by default) outside_access_in on the outside interface.

If you want to manually add an entry in the list then first check what is the name of access list applied on the interface, if its outside_access_in then just add another entry:

Example:

access-list outside_access_in extended permit icmp any any echo-reply

I hope the above helps.

Regards,

Ahmed

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card