cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
23280
Views
5
Helpful
33
Replies

diffence between Access rules and ACL Manager

zain_gabon
Level 1
Level 1

Dear Support,

Can somebody clarify for me the difference between creating rules using Access rules and using ACL Manager?

when i create a rule graphically, i see it on ASDM and when i create the same rule using cli, i cannot see it on Access rules, i can, only see it on ACL Manager, so it's not clear for between access rules and ACL Manger.

Cout on you

Thanks

13 Accepted Solutions

Accepted Solutions

Maykol Rojas
Cisco Employee
Cisco Employee

Hi,

When you create ACL's with the manager, those acls are not applied for permitting or denying traffic on an interface. They are used for matching criteria. For example, to be used no a policy nat, QoS, VPN tunnel interesting traffic etc.

Cheers

Mike.

Mike

View solution in original post

Hi Zain,

What Mike said is absolutely correct...whenever you are creating an interface ACL you would have to do it from the ACL option, thats why you see ACL's there under each interface.

As per the ACL manager, those ACL's are not used for filtering incoming traffic, rather than matching the traffic in different configuration such as QoS, captures, tunnels. In the ACL manager you would see the ACL's as per their names rather than the interface.Mike was spot on for this.

Thanks,

Varun

Thanks,
Varun Rao

View solution in original post

Hi Zain,

For accessing the internet from inside, you dont need an access-list, because inside interface is your highly secured network (security-level 100) and high security to low secutiy traffic is implicitly allowed.

I woudl also suggest you to plz follow this thread, most of you questions would be answered here:

https://supportforums.cisco.com/thread/2083101?tstart=0

Plz let me know if you have any queries regarding it.

Thanks,

Varun

Thanks,
Varun Rao

View solution in original post

For internet access you would require the following configuration:

nat (inside) 1 192.168.2.0 255.255.255.0

global (outside) 1 interface

route 0 0

This should be enough for the users to get internet access.

Thanks,

Varun

Thanks,
Varun Rao

View solution in original post

Hi Zain,

Lets take up your requirement one by one, and try and configure it through CLI(we'll leave the ASDM for a while).

If your SMTP server is on the DMZ then you would need to configure the following:

static (dmz,outside)   < Real ip of server>

access-list outside_access_in extended permit tcp any host eq 25

access-list outside_access_in extended permit tcp any host eq 110

access-group  outside_access_inin interface outside

Let me know what your other requirement is.

You might have missed this command:

access-group  outside_access_inin interface outside

this applies the ACL on outside interface.

Thanks,

Varun

Thanks,
Varun Rao

View solution in original post

No problem Zain , let me know if you get stuck anywhere, you can post on this thread only.

Thanks,

Varun

Thanks,
Varun Rao

View solution in original post

Zain,

You can only have one access-group per interface, so if you have 3 interfaces then you can create just 3 access-groups, one for each interface.

For multiple ACL's on same interface, just keep the same names for them:

access-list DMZ_in extended permit tcp host 192.168.2.80 host 192.168.1.12 eq smtp
access-list DMZ_In extended permit tcp host 192.168.2.80 host 192.168.36.7 eq smtp
access-list DMZ_In extended permit tcp host 192.168.2.80 host 192.168.58.12 eq smtp
access-list DMZ_In extended permit tcp host 192.168.2.80 host 192.168.8.21 eq smtp
access-list DMZ_In extended permit udp host 192.168.2.100 host 192.168.15.2
access-list DMZ_In extended permit ip host 192.168.2.100 host 192.168.100.1
access-list DMZ_In extended permit ip host 192.168.2.10 192.168.116.0 255.255.255.0

access-group DMZ_In in interface DMZ

Hope this helps you.

Thanks,

Varun

Thanks,
Varun Rao

View solution in original post

Hi Zain,

You can have to access-group per interface.

1. inbound

2. outbound

E.g. access-list test extended permit ip any any
access-group test in interface inside
access-group test out interface inside

Hope this helps.

Regards,

Anisha

P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.

View solution in original post

Hi Zain,

Its the difference of the direction of traffic flow out of the interface,i if the traffic is in ingress direction, then we use in interafce inside but if we want to apply

ACL for traffic going out of the interface we use out interface inside. Here is a sdmqall diagram:

outside-------------------ASA--------------------Inside

                                                 -------------------------->

                                                out interafce inside

outside--------------------ASA-------------------Inside

                                              <-------------------------------

                                                in interafce inside

I hope this would help you in understanding it better.

Thanks,

Varun

Thanks,
Varun Rao

View solution in original post

Hi Zain,

the access-group should be "in interface outside" only because you are blocking tarffic going ingress the outside interafce of the ASA, you can also do out int dmz, but thats not the best practise, you should always block traffic closer to the source, and moreover its not logical to first allow traffic inside your firewall and then block it on dmz interface.

Let me know if you have any questions.

Thanks,

Varun

Thanks,
Varun Rao

View solution in original post

Zain,

You might need to add the following commands on firewall:

icmp permit any dmz

try pinging after that, let me know how it goes.

Thanks,

Varun

Thanks,
Varun Rao

View solution in original post

Hi Zain,

The IN is used when you want the access-list to be applied for traffic coming towards the box on that interface.

The OUT is used when you want the access-list to be applied for traffic going away from the box on that interface.

Hope this helps.

Regards,
Anisha

P.S.: please mark this thread as answered  if  you feel your query is resolved. Do rate helpful posts.

View solution in original post

33 Replies 33

Maykol Rojas
Cisco Employee
Cisco Employee

Hi,

When you create ACL's with the manager, those acls are not applied for permitting or denying traffic on an interface. They are used for matching criteria. For example, to be used no a policy nat, QoS, VPN tunnel interesting traffic etc.

Cheers

Mike.

Mike

Hi Mike,

Thanks a lot for you quick response,

That means, if i need to create a policy for permetting trafic, i need to use Access Rules Under Firewall Menu?

Another Thing, when i create a policy with Access rule, it's automatically create a ACL on ACL Manager, Wht this?

Thanks

Hi Zain,

What Mike said is absolutely correct...whenever you are creating an interface ACL you would have to do it from the ACL option, thats why you see ACL's there under each interface.

As per the ACL manager, those ACL's are not used for filtering incoming traffic, rather than matching the traffic in different configuration such as QoS, captures, tunnels. In the ACL manager you would see the ACL's as per their names rather than the interface.Mike was spot on for this.

Thanks,

Varun

Thanks,
Varun Rao

Thanks, Varun,

Not really clear for me, First, i just want to allow users in inside network to access to Internet. What to do in this case?

what is the cli command ?

interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 10.10.10.10 255.255.255.0

interface GigabitEthernet0/1
nameif outside
security-level 100
ip address 192.168.2.1 255.255.255.0

The users are behind inside interface

Regards

Hi Zain,

For accessing the internet from inside, you dont need an access-list, because inside interface is your highly secured network (security-level 100) and high security to low secutiy traffic is implicitly allowed.

I woudl also suggest you to plz follow this thread, most of you questions would be answered here:

https://supportforums.cisco.com/thread/2083101?tstart=0

Plz let me know if you have any queries regarding it.

Thanks,

Varun

Thanks,
Varun Rao

For internet access you would require the following configuration:

nat (inside) 1 192.168.2.0 255.255.255.0

global (outside) 1 interface

route 0 0

This should be enough for the users to get internet access.

Thanks,

Varun

Thanks,
Varun Rao

Thanks Varun,

I have already read the think you send to me.

Sorry, it' not clear for me. i' have a cisco ASA 5520 on my table for making test.

i'm doing many scenarios and have many differences. Creating policy using CLI and ASDM and i don't have the same result, it's confused for me.

For example, i want to allow trafic from internet to go to smtp server which located on dmz (i did correctly the static nat), sometime i see a access-list under ACL, but nothing on Access Rules and vis versa.

Regards

Hi Zain,

Lets take up your requirement one by one, and try and configure it through CLI(we'll leave the ASDM for a while).

If your SMTP server is on the DMZ then you would need to configure the following:

static (dmz,outside)   < Real ip of server>

access-list outside_access_in extended permit tcp any host eq 25

access-list outside_access_in extended permit tcp any host eq 110

access-group  outside_access_inin interface outside

Let me know what your other requirement is.

You might have missed this command:

access-group  outside_access_inin interface outside

this applies the ACL on outside interface.

Thanks,

Varun

Thanks,
Varun Rao

It's work Fine,

Thanks a lol Varun for your precious Help,

The problem was to apply  the ACL on the Interface.

access-group  outside_access_in in interface outside

Many Thanks, i understand,

No problem Zain , let me know if you get stuck anywhere, you can post on this thread only.

Thanks,

Varun

Thanks,
Varun Rao

Dear Varun,

To close with my interrogation, please, how many access-group we can have by interface?

Regards

Zain,

You can only have one access-group per interface, so if you have 3 interfaces then you can create just 3 access-groups, one for each interface.

For multiple ACL's on same interface, just keep the same names for them:

access-list DMZ_in extended permit tcp host 192.168.2.80 host 192.168.1.12 eq smtp
access-list DMZ_In extended permit tcp host 192.168.2.80 host 192.168.36.7 eq smtp
access-list DMZ_In extended permit tcp host 192.168.2.80 host 192.168.58.12 eq smtp
access-list DMZ_In extended permit tcp host 192.168.2.80 host 192.168.8.21 eq smtp
access-list DMZ_In extended permit udp host 192.168.2.100 host 192.168.15.2
access-list DMZ_In extended permit ip host 192.168.2.100 host 192.168.100.1
access-list DMZ_In extended permit ip host 192.168.2.10 192.168.116.0 255.255.255.0

access-group DMZ_In in interface DMZ

Hope this helps you.

Thanks,

Varun

Thanks,
Varun Rao

Many Thanks,

With your help, i understand my Cisco ASA

Regars

Hi Zain,

You can have to access-group per interface.

1. inbound

2. outbound

E.g. access-list test extended permit ip any any
access-group test in interface inside
access-group test out interface inside

Hope this helps.

Regards,

Anisha

P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.

Review Cisco Networking for a $25 gift card