Solved: Re: diffence between Access rules and ACL Manager - Page 2

zain_gabon · ‎05-11-2011

Dear Support,

Can somebody clarify for me the difference between creating rules using Access rules and using ACL Manager?

when i create a rule graphically, i see it on ASDM and when i create the same rule using cli, i cannot see it on Access rules, i can, only see it on ACL Manager, so it's not clear for between access rules and ACL Manger.

Cout on you

Thanks

zain_gabon · ‎05-12-2011

Dear Anisha,

Many Thanks for your help, this really help me

Regards

zain_gabon · ‎05-13-2011

Dear Anisha,

Thanks for you help, but i want to know what is the difference between theses lines:

access-group test in interface inside
access-group test out interface inside

when we need to use IN and when to use OUT ?

Regards

varrao · ‎05-14-2011

Hi Zain,

Its the difference of the direction of traffic flow out of the interface,i if the traffic is in ingress direction, then we use in interafce inside but if we want to apply

ACL for traffic going out of the interface we use out interface inside. Here is a sdmqall diagram:

outside-------------------ASA--------------------Inside

-------------------------->

out interafce inside

outside--------------------ASA-------------------Inside

<-------------------------------

in interafce inside

I hope this would help you in understanding it better.

Thanks,

Varun

Thanks,
Varun Rao

varrao · ‎05-14-2011

Hi Zain,

This should clear out things better:

http://www.cisco.com/en/US/partner/docs/security/asa/asa82/command/reference/a1.html#wp1558618

Thanks,

Varun

Thanks,
Varun Rao

zain_gabon · ‎05-14-2011

Hi Varun,

it's very clear and thanks,

in my case, i want to allow outside trafic comming from Internet to my web server located in dmz, the direction of trafic will be out interface outside?

Internet-----------ASA------------dmz

-------------------------------------> trafic is from internet to my asa

here is my access-list and access-group

access-list outside_access_in extended permit tcp any host eq www

access-group outside_access_in in interface out

why the access-group is in "IN" ?

varrao · ‎05-14-2011

Hi Zain,

the access-group should be "in interface outside" only because you are blocking tarffic going ingress the outside interafce of the ASA, you can also do out int dmz, but thats not the best practise, you should always block traffic closer to the source, and moreover its not logical to first allow traffic inside your firewall and then block it on dmz interface.

Let me know if you have any questions.

Thanks,

Varun

Thanks,
Varun Rao

zain_gabon · ‎05-14-2011

Dear varun

Thanks, It's now clear for me,

my confused was in ingress and outgress.

I understand now

Regards

zain_gabon · ‎05-14-2011

Dear Varun excuse, but i have a strange situation

from my asa, i caanot ping any others nodes which are in the subnet that interface gi0/2

interface GigabitEthernet0/0
nameif out
security-level 0
ip address public-ip 255.255.255.248
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.3.4.209 255.255.252.0
!
interface GigabitEthernet0/2
nameif dmz1
security-level 50
ip address 192.168.46.1 255.255.255.0

but, from ASA, i cannot ping 192.168.46.2 (server1) and cannot also ping 192.168.46.3 (server2)

ther interface gi0/2 is in the same vlan that server1 and server 2

Do you have an idea?

varrao · ‎05-14-2011

Zain,

Please anser the following questions:

++ What is your topology, is it something like this?

ASA------------router---------------servers

++ Can you ping the firewall inside IP from the servers?

++ Plz turn off any firewall or anti-virus runnuing on the servers.

++ Can you ping the next hope from the ASA?

Plz let me know the answers, we'll move forward on it.

Thanks,

Varun

Thanks,
Varun Rao

zain_gabon · ‎05-14-2011

Hi, Varun,

my topology like this

Internet----------internet-router----------ASA-----------Swicth---------servers (located in dmz and inside depond on port vlan)

from inside, i can ping inside interface of firewall and browsing well

but from servers which are in dmz, i cannot ping asa dmz interface.

the servers has asa dmz interface as gateway.

May be the issue is windows firewall, i will check it

varrao · ‎05-14-2011

Zain,

You might need to add the following commands on firewall:

icmp permit any dmz

try pinging after that, let me know how it goes.

Thanks,

Varun

Thanks,
Varun Rao

zain_gabon · ‎05-14-2011

Dear,

It's working fine now

Thanks

Regards

zain_gabon · ‎05-16-2011

Dear Varun,

Please help me on which need to be opened for allowing Cisco SSL VPN Client to pass through firewall.

Regards

andamani · ‎05-14-2011

Hi Zain,

The IN is used when you want the access-list to be applied for traffic coming towards the box on that interface.

The OUT is used when you want the access-list to be applied for traffic going away from the box on that interface.

Hope this helps.

Regards,
Anisha

P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.

zain_gabon · ‎05-16-2011

Dear Anisha,

Can you help me on which ports need to be opened on Cisco ASA to allowed SSL VPN to pass.

Regards