09-24-2008 09:56 AM - edited 02-21-2020 03:01 AM
I have imported my ASA live from the network, however i have 6 different ACLs per my interfaces...under access-rules CSM has combined them all into the LOCAL policy? How do i stop this, i want to see it broke out by ACL Name
09-24-2008 11:20 AM
Provide :
sh run access-l
sh run access-g
sh run policy-map
sh run class-map
REGARDS,
sushil
09-24-2008 11:30 AM
Sushil
Here you go...what im seeing is when i go under
Firewall-->access rules
Everything is group under policy LOCAL...and i dont see the acls broken out by name, the only way i can tell what they are for is by looking at the interface, is there a way to override this??
access-list in extended permit icmp any any
access-list in extended permit tcp any interface outside eq smtp
access-list in extended permit tcp any interface outside eq 81
access-list in extended permit tcp any interface outside eq pop3
access-list in extended permit tcp any interface outside eq ftp
access-list in extended permit tcp any interface outside eq 3389
access-list in extended permit tcp any interface outside eq https
access-list in extended permit tcp any interface outside eq www
access-list in extended permit esp any any
access-list in extended permit tcp any interface outside eq 8080
access-list in extended permit tcp any interface outside eq 8443
access-list in extended permit tcp any interface outside eq 8000
access-list in extended permit tcp any interface outside eq 1935
access-list nonat extended permit ip any 192.168.219.0 255.255.255.0
access-list nonat extended permit ip any 192.168.253.0 255.255.255.0
access-list nonat extended permit ip any 192.168.220.0 255.255.255.0
access-list inbound-fw-acl extended permit icmp any any
access-list inbound-fw-acl extended deny ip any any
access-list outbound-fw-acl extended permit ip any any
access-list outbound-fw-acl extended permit icmp any any
access-list split-tunnel standard permit 192.168.0.0 255.255.0.0
access-list split-tunnel standard permit 10.0.0.0 255.0.0.0
access-list split-tunnel standard permit 172.16.0.0 255.240.0.0
access-list dmz extended permit tcp any any eq 80
access-list dmz extended deny ip any any
access-list CSM_TF_ACL_vonage__1 extended permit ip any host 192.168.1.36
access-list CSM_TF_ACL_vonage__1 extended permit ip any host 10.10.13.5
Lab-ASA# sh run access-group
access-group in in interface outside
access-group dmz in interface dmz
Lab-ASA# sh run class-map
!
class-map inspection_default
match default-inspection-traffic
class-map vonage_1
match access-list CSM_TF_ACL_vonage__1
!
Lab-ASA# sh run policy-map
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
class vonage_1
priority
!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide