Solved: diffence between Access rules and ACL Manager

zain_gabon · ‎05-11-2011

Dear Support,

Can somebody clarify for me the difference between creating rules using Access rules and using ACL Manager?

when i create a rule graphically, i see it on ASDM and when i create the same rule using cli, i cannot see it on Access rules, i can, only see it on ACL Manager, so it's not clear for between access rules and ACL Manger.

Cout on you

Thanks

Maykol Rojas · ‎05-11-2011

Hi,

When you create ACL's with the manager, those acls are not applied for permitting or denying traffic on an interface. They are used for matching criteria. For example, to be used no a policy nat, QoS, VPN tunnel interesting traffic etc.

Cheers

Mike.

Mike

View solution in original post

varrao · ‎05-12-2011

Hi Zain,

What Mike said is absolutely correct...whenever you are creating an interface ACL you would have to do it from the ACL option, thats why you see ACL's there under each interface.

As per the ACL manager, those ACL's are not used for filtering incoming traffic, rather than matching the traffic in different configuration such as QoS, captures, tunnels. In the ACL manager you would see the ACL's as per their names rather than the interface.Mike was spot on for this.

Thanks,

Varun

Thanks,
Varun Rao

View solution in original post

varrao · ‎05-12-2011

Hi Zain,

For accessing the internet from inside, you dont need an access-list, because inside interface is your highly secured network (security-level 100) and high security to low secutiy traffic is implicitly allowed.

I woudl also suggest you to plz follow this thread, most of you questions would be answered here:

https://supportforums.cisco.com/thread/2083101?tstart=0

Plz let me know if you have any queries regarding it.

Thanks,

Varun

Thanks,
Varun Rao

View solution in original post

varrao · ‎05-12-2011

For internet access you would require the following configuration:

nat (inside) 1 192.168.2.0 255.255.255.0

global (outside) 1 interface

route 0 0

This should be enough for the users to get internet access.

Thanks,

Varun

Thanks,
Varun Rao

View solution in original post

varrao · ‎05-12-2011

Hi Zain,

Lets take up your requirement one by one, and try and configure it through CLI(we'll leave the ASDM for a while).

If your SMTP server is on the DMZ then you would need to configure the following:

static (dmz,outside) < Real ip of server>

access-list outside_access_in extended permit tcp any host eq 25

access-list outside_access_in extended permit tcp any host eq 110

access-group outside_access_inin interface outside

Let me know what your other requirement is.

You might have missed this command:

access-group outside_access_inin interface outside

this applies the ACL on outside interface.

Thanks,

Varun

Thanks,
Varun Rao

View solution in original post

varrao · ‎05-12-2011

No problem Zain , let me know if you get stuck anywhere, you can post on this thread only.

Thanks,

Varun

Thanks,
Varun Rao

View solution in original post

varrao · ‎05-12-2011

Zain,

You can only have one access-group per interface, so if you have 3 interfaces then you can create just 3 access-groups, one for each interface.

For multiple ACL's on same interface, just keep the same names for them:

access-list DMZ_in extended permit tcp host 192.168.2.80 host 192.168.1.12 eq smtp
access-list DMZ_In extended permit tcp host 192.168.2.80 host 192.168.36.7 eq smtp
access-list DMZ_In extended permit tcp host 192.168.2.80 host 192.168.58.12 eq smtp
access-list DMZ_In extended permit tcp host 192.168.2.80 host 192.168.8.21 eq smtp
access-list DMZ_In extended permit udp host 192.168.2.100 host 192.168.15.2
access-list DMZ_In extended permit ip host 192.168.2.100 host 192.168.100.1
access-list DMZ_In extended permit ip host 192.168.2.10 192.168.116.0 255.255.255.0

access-group DMZ_In in interface DMZ

Hope this helps you.

Thanks,

Varun

Thanks,
Varun Rao

View solution in original post

andamani · ‎05-12-2011

Hi Zain,

You can have to access-group per interface.

1. inbound

2. outbound

E.g. access-list test extended permit ip any any
access-group test in interface inside
access-group test out interface inside

Hope this helps.

Regards,

Anisha

P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.

View solution in original post

varrao · ‎05-14-2011

Hi Zain,

Its the difference of the direction of traffic flow out of the interface,i if the traffic is in ingress direction, then we use in interafce inside but if we want to apply

ACL for traffic going out of the interface we use out interface inside. Here is a sdmqall diagram:

outside-------------------ASA--------------------Inside

-------------------------->

out interafce inside

outside--------------------ASA-------------------Inside

<-------------------------------

in interafce inside

I hope this would help you in understanding it better.

Thanks,

Varun

Thanks,
Varun Rao

View solution in original post

varrao · ‎05-14-2011

Hi Zain,

This should clear out things better:

http://www.cisco.com/en/US/partner/docs/security/asa/asa82/command/reference/a1.html#wp1558618

Thanks,

Varun

Thanks,
Varun Rao

View solution in original post

varrao · ‎05-14-2011

Hi Zain,

the access-group should be "in interface outside" only because you are blocking tarffic going ingress the outside interafce of the ASA, you can also do out int dmz, but thats not the best practise, you should always block traffic closer to the source, and moreover its not logical to first allow traffic inside your firewall and then block it on dmz interface.

Let me know if you have any questions.

Thanks,

Varun

Thanks,
Varun Rao

View solution in original post

varrao · ‎05-14-2011

Zain,

You might need to add the following commands on firewall:

icmp permit any dmz

try pinging after that, let me know how it goes.

Thanks,

Varun

Thanks,
Varun Rao

View solution in original post

andamani · ‎05-14-2011

Hi Zain,

The IN is used when you want the access-list to be applied for traffic coming towards the box on that interface.

The OUT is used when you want the access-list to be applied for traffic going away from the box on that interface.

Hope this helps.

Regards,
Anisha

P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.

View solution in original post

Maykol Rojas · ‎05-11-2011

Hi,

When you create ACL's with the manager, those acls are not applied for permitting or denying traffic on an interface. They are used for matching criteria. For example, to be used no a policy nat, QoS, VPN tunnel interesting traffic etc.

Cheers

Mike.

Mike

zain_gabon · ‎05-11-2011

Hi Mike,

Thanks a lot for you quick response,

That means, if i need to create a policy for permetting trafic, i need to use Access Rules Under Firewall Menu?

Another Thing, when i create a policy with Access rule, it's automatically create a ACL on ACL Manager, Wht this?

Thanks

varrao · ‎05-12-2011

Hi Zain,

What Mike said is absolutely correct...whenever you are creating an interface ACL you would have to do it from the ACL option, thats why you see ACL's there under each interface.

As per the ACL manager, those ACL's are not used for filtering incoming traffic, rather than matching the traffic in different configuration such as QoS, captures, tunnels. In the ACL manager you would see the ACL's as per their names rather than the interface.Mike was spot on for this.

Thanks,

Varun

Thanks,
Varun Rao

zain_gabon · ‎05-12-2011

Thanks, Varun,

Not really clear for me, First, i just want to allow users in inside network to access to Internet. What to do in this case?

what is the cli command ?

interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 10.10.10.10 255.255.255.0

interface GigabitEthernet0/1
nameif outside
security-level 100
ip address 192.168.2.1 255.255.255.0

The users are behind inside interface

Regards

varrao · ‎05-12-2011

Hi Zain,

For accessing the internet from inside, you dont need an access-list, because inside interface is your highly secured network (security-level 100) and high security to low secutiy traffic is implicitly allowed.

I woudl also suggest you to plz follow this thread, most of you questions would be answered here:

https://supportforums.cisco.com/thread/2083101?tstart=0

Plz let me know if you have any queries regarding it.

Thanks,

Varun

Thanks,
Varun Rao

varrao · ‎05-12-2011

For internet access you would require the following configuration:

nat (inside) 1 192.168.2.0 255.255.255.0

global (outside) 1 interface

route 0 0

This should be enough for the users to get internet access.

Thanks,

Varun

Thanks,
Varun Rao

zain_gabon · ‎05-12-2011

Thanks Varun,

I have already read the think you send to me.

Sorry, it' not clear for me. i' have a cisco ASA 5520 on my table for making test.

i'm doing many scenarios and have many differences. Creating policy using CLI and ASDM and i don't have the same result, it's confused for me.

For example, i want to allow trafic from internet to go to smtp server which located on dmz (i did correctly the static nat), sometime i see a access-list under ACL, but nothing on Access Rules and vis versa.

Regards

varrao · ‎05-12-2011

Hi Zain,

Lets take up your requirement one by one, and try and configure it through CLI(we'll leave the ASDM for a while).

If your SMTP server is on the DMZ then you would need to configure the following:

static (dmz,outside) < Real ip of server>

access-list outside_access_in extended permit tcp any host eq 25

access-list outside_access_in extended permit tcp any host eq 110

access-group outside_access_inin interface outside

Let me know what your other requirement is.

You might have missed this command:

access-group outside_access_inin interface outside

this applies the ACL on outside interface.

Thanks,

Varun

Thanks,
Varun Rao

zain_gabon · ‎05-12-2011

It's work Fine,

Thanks a lol Varun for your precious Help,

The problem was to apply the ACL on the Interface.

access-group outside_access_in in interface outside

Many Thanks, i understand,

varrao · ‎05-12-2011

No problem Zain , let me know if you get stuck anywhere, you can post on this thread only.

Thanks,

Varun

Thanks,
Varun Rao

zain_gabon · ‎05-12-2011

Dear Varun,

To close with my interrogation, please, how many access-group we can have by interface?

Regards

varrao · ‎05-12-2011

Zain,

You can only have one access-group per interface, so if you have 3 interfaces then you can create just 3 access-groups, one for each interface.

For multiple ACL's on same interface, just keep the same names for them:

access-list DMZ_in extended permit tcp host 192.168.2.80 host 192.168.1.12 eq smtp
access-list DMZ_In extended permit tcp host 192.168.2.80 host 192.168.36.7 eq smtp
access-list DMZ_In extended permit tcp host 192.168.2.80 host 192.168.58.12 eq smtp
access-list DMZ_In extended permit tcp host 192.168.2.80 host 192.168.8.21 eq smtp
access-list DMZ_In extended permit udp host 192.168.2.100 host 192.168.15.2
access-list DMZ_In extended permit ip host 192.168.2.100 host 192.168.100.1
access-list DMZ_In extended permit ip host 192.168.2.10 192.168.116.0 255.255.255.0

access-group DMZ_In in interface DMZ

Hope this helps you.

Thanks,

Varun

Thanks,
Varun Rao

zain_gabon · ‎05-12-2011

Many Thanks,

With your help, i understand my Cisco ASA

Regars

andamani · ‎05-12-2011

Hi Zain,

You can have to access-group per interface.

1. inbound

2. outbound

E.g. access-list test extended permit ip any any
access-group test in interface inside
access-group test out interface inside

Hope this helps.

Regards,

Anisha

P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.