05-09-2010 05:00 AM - edited 03-11-2019 10:42 AM
Hello Guys,
I am working with extended ACL's with the Cisco ASA. I know that it is true that a person can only put one ACL in each direction on an interface with a Cisco router but, I want to know if that if this is true with a ASA device? It seems like when ever I attach a different ACL on the same interface in the same direction it removes the previous attached access-group from the interface. I hope I do not have to have one access-list applied with all my rules in it. That could be dangerous if I ever have to remove an entry from the access-list and remove the of entire ACL entry by mistake.
Solved! Go to Solution.
05-09-2010 05:33 AM
That is exactly how it works. One ACL to each interface. Only exception is that you can apply a second Ethertype ACL (which can permit special protocols, i.e. BPDU, etc.). If you are doing by hand, then probably best to copy original access-list and access-group, and change the acl name, before changing, so you can quickly revert back to previous. that way you would have new and old rule easy to switch with.
05-09-2010 07:57 AM
iketurner931 wrote:
Ok. So then you are saying that. I can have Access-List Extended 101,102 103 ETC but, I can only have one of them apply to the interface and the others would be only used to define interesting (permit/deny) or some other function that does not require the ACL to be applied to the interface. Oh Yeah thanks for the information about changing the name of the ACL then changing the properties of the ACL and then appling the copy. That is soo sweet. Never even thought of it. Soooo Simple.
You can apply 2 acls to each ASA interface, one in the inbound direction and one in the outbound direction.
Jon
05-09-2010 05:33 AM
That is exactly how it works. One ACL to each interface. Only exception is that you can apply a second Ethertype ACL (which can permit special protocols, i.e. BPDU, etc.). If you are doing by hand, then probably best to copy original access-list and access-group, and change the acl name, before changing, so you can quickly revert back to previous. that way you would have new and old rule easy to switch with.
05-09-2010 06:02 AM
Ok. So then you are saying that. I can have Access-List Extended 101,102 103 ETC but, I can only have one of them apply to the interface and the others would be only used to define interesting (permit/deny) or some other function that does not require the ACL to be applied to the interface. Oh Yeah thanks for the information about changing the name of the ACL then changing the properties of the ACL and then appling the copy. That is soo sweet. Never even thought of it. Soooo Simple.
05-09-2010 07:57 AM
iketurner931 wrote:
Ok. So then you are saying that. I can have Access-List Extended 101,102 103 ETC but, I can only have one of them apply to the interface and the others would be only used to define interesting (permit/deny) or some other function that does not require the ACL to be applied to the interface. Oh Yeah thanks for the information about changing the name of the ACL then changing the properties of the ACL and then appling the copy. That is soo sweet. Never even thought of it. Soooo Simple.
You can apply 2 acls to each ASA interface, one in the inbound direction and one in the outbound direction.
Jon
05-09-2010 08:38 AM
Thanks for everything Jon. I just wanted to make sure I was doing everything right.
05-09-2010 08:37 AM
Thanks for everything Matt. I just wanted to make sure I was doing
everything right.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide