Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1320
Views
0
Helpful
4
Replies

How can I let the inface ACL take precedence instead of global ACL in ASA 8.31?

hainsannn
Level 1
Level 1

‎09-19-2012 03:33 PM - edited ‎03-11-2019 04:56 PM

1. In ASA 8.31 global ACL seen to taking precedence. I want to use interface ACL. What do I need to do? Thanks!

Labels:
0 Helpful
4 Replies 4

Jennifer Halim
Cisco Employee
Cisco Employee

‎09-19-2012 06:06 PM

Interface specific ACL should take precedence over the global ACL.

Here is the command for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa83/command/reference/a1.html#wp1597389

0 Helpful

hainsannn
Level 1
Level 1
In response to Jennifer Halim

‎09-20-2012 02:20 PM

Hi Jennifer, Thanks for the answer but I did all that. The issue is "global_access" ACL is taking hit instead I want the "outside-102_access_in" ACL to take the hit. Refter to config and out put below. Note the hit count (hitcnt). I was using ASDM for the configuration.  Thanks in advance.

#Configuration#

interface Ethernet0/0

nameif outside

security-level 0

ip address 10.10.49.10 255.255.255.0

!

interface Ethernet0/0.102

  vlan 102

nameif outside-102

security-level 0

ip address 10.10.102.10 255.255.255.0

access-list outside_access_in extended permit tcp object dwp-network object-group dmz-test-servers object-group web-services

access-list outside-102_access_in extended permit tcp object dwp-network object-group dmz-test-servers object-group web-services

access-list global_access extended permit tcp object dwp-network object-group dmz-test-servers object-group web-services

access-list global_access extended deny ip any any

access-group outside_access_in in interface outside

access-group outside-102_access_in in interface outside-102

access-group global_access global

---------------------------------------------------------------------------------------------------------------------------------

#(Show access-list)ACL hit out put#

access-list outside-102_access_in; 6 elements; name hash: 0xc363e860

access-list outside-102_access_in line 2 extended permit tcp object dwp-network object-group dmz-test-servers object-group web-services 0xe570cd00

  access-list outside-102_access_in line 2 extended permit tcp 10.0.0.0 255.0.0.0 host 192.168.10.141 eq www (hitcnt=0) 0x15474d40

  access-list outside-102_access_in line 2 extended permit tcp 10.0.0.0 255.0.0.0 host 192.168.10.141 eq https (hitcnt=0) 0x53b13506

  access-list outside-102_access_in line 2 extended permit tcp 10.0.0.0 255.0.0.0 host 192.168.10.140 eq www (hitcnt=1) 0x6a950467

  access-list outside-102_access_in line 2 extended permit tcp 10.0.0.0 255.0.0.0 host 192.168.10.140 eq https (hitcnt=0) 0x3829b7d9

  access-list outside-102_access_in line 2 extended permit tcp 10.0.0.0 255.0.0.0 host 192.168.10.141 eq 8080 (hitcnt=0) 0xa50cd17d

  access-list outside-102_access_in line 2 extended permit tcp 10.0.0.0 255.0.0.0 host 192.168.10.140 eq 8080 (hitcnt=0) 0xa9068494

access-list global_access line 2 extended permit tcp object dwp-network object-group dmz-test-servers object-group web-services 0x2d7c6535

  access-list global_access line 2 extended permit tcp 10.0.0.0 255.0.0.0 host 192.168.10.141 eq www (hitcnt=80) 0xbc9de457

  access-list global_access line 2 extended permit tcp 10.0.0.0 255.0.0.0 host 192.168.10.141 eq https (hitcnt=14) 0x04fd7f01

  access-list global_access line 2 extended permit tcp 10.0.0.0 255.0.0.0 host 192.168.10.140 eq www (hitcnt=25) 0xcec77040

  access-list global_access line 2 extended permit tcp 10.0.0.0 255.0.0.0 host 192.168.10.140 eq https (hitcnt=20) 0xbfc31e79

  access-list global_access line 2 extended permit tcp 10.0.0.0 255.0.0.0 host 192.168.10.141 eq 8080 (hitcnt=0) 0xd5207de1

  access-list global_access line 2 extended permit tcp 10.0.0.0 255.0.0.0 host 192.168.10.140 eq 8080 (hitcnt=4) 0x2266d79c

access-list global_access line 3 extended deny ip any any (hitcnt=158) 0x0cac2fd5

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to hainsannn

‎09-20-2012 03:11 PM

Hello,

Please share the entire configuration of the ASA... It might be something else

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

vairavss1
Level 1
Level 1
In response to hainsannn

‎08-11-2016 04:59 PM

Hi

   If you are using 8.3 + version. think you are trying to access from outside which will be internet. Hope you are aware that in 8.3 + while writing access-list for outside interface and if you are using NAT statements then you have to use private IP instead of public. 

Ex for pre 8.2 : access-list raja extended permit ip any host 4.4.4.4  (This will be access list if you trying from internet and your inside host(10.1.1.1) is natted with 4.4.4.4.

Ex for post 8.3 : access-list raja extended permit ip any host 10.1.1.1 (This will be access list if you trying from internet and your inside host(10.1.1.1) is natted with 4.4.4.4.

You have to use the private IP in your access-lists while natting in the new ASA software. 

Try this and let me know if this resolves the issue .

Thank 

VairavarajaRP

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card