Solved: Re: Firewall Extended Access-List Question???

Charlie Mayes · ‎05-09-2010

Hello Guys,

I am working with extended ACL's with the Cisco ASA. I know that it is true that a person can only put one ACL in each direction on an interface with a Cisco router but, I want to know if that if this is true with a ASA device? It seems like when ever I attach a different ACL on the same interface in the same direction it removes the previous attached access-group from the interface. I hope I do not have to have one access-list applied with all my rules in it. That could be dangerous if I ever have to remove an entry from the access-list and remove the of entire ACL entry by mistake.

matt.walls · ‎05-09-2010

That is exactly how it works. One ACL to each interface. Only exception is that you can apply a second Ethertype ACL (which can permit special protocols, i.e. BPDU, etc.). If you are doing by hand, then probably best to copy original access-list and access-group, and change the acl name, before changing, so you can quickly revert back to previous. that way you would have new and old rule easy to switch with.

View solution in original post

Jon Marshall · ‎05-09-2010

iketurner931 wrote:
                       Ok. So then you are saying that. I can have Access-List Extended 101,102 103 ETC but, I can only have one of them apply to the interface and the others would be only used to define interesting (permit/deny) or some other function that does not require the ACL to be applied to the interface. Oh Yeah thanks for the information about changing the name of the ACL then changing the properties of the ACL and then appling the copy. That is soo sweet. Never even thought of it. Soooo Simple.

You can apply 2 acls to each ASA interface, one in the inbound direction and one in the outbound direction.

Jon

View solution in original post

matt.walls · ‎05-09-2010

That is exactly how it works. One ACL to each interface. Only exception is that you can apply a second Ethertype ACL (which can permit special protocols, i.e. BPDU, etc.). If you are doing by hand, then probably best to copy original access-list and access-group, and change the acl name, before changing, so you can quickly revert back to previous. that way you would have new and old rule easy to switch with.

Charlie Mayes · ‎05-09-2010

Ok. So then you are saying that. I can have Access-List Extended 101,102 103 ETC but, I can only have one of them apply to the interface and the others would be only used to define interesting (permit/deny) or some other function that does not require the ACL to be applied to the interface. Oh Yeah thanks for the information about changing the name of the ACL then changing the properties of the ACL and then appling the copy. That is soo sweet. Never even thought of it. Soooo Simple.

Jon Marshall · ‎05-09-2010

iketurner931 wrote:
                       Ok. So then you are saying that. I can have Access-List Extended 101,102 103 ETC but, I can only have one of them apply to the interface and the others would be only used to define interesting (permit/deny) or some other function that does not require the ACL to be applied to the interface. Oh Yeah thanks for the information about changing the name of the ACL then changing the properties of the ACL and then appling the copy. That is soo sweet. Never even thought of it. Soooo Simple.

You can apply 2 acls to each ASA interface, one in the inbound direction and one in the outbound direction.

Jon

Charlie Mayes · ‎05-09-2010

Thanks for everything Jon. I just wanted to make sure I was doing everything right.

Charlie Mayes · ‎05-09-2010

Thanks for everything Matt. I just wanted to make sure I was doing

everything right.