Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4972
Views
5
Helpful
8
Replies

Need clarification on the differences between Access rules and ACL manager (ASA)

Go to solution
Sundeep Dsouza
Level 1
Level 1

‎02-05-2011 10:12 PM - edited ‎03-11-2019 12:45 PM

Greetings,

It has been quite some time since I got my CCSP certification. As per my understanding, any kind of access allowed or denied is done and visible under the Configuration-Firewall-Access Rule section. However, recently I came across a Cisco ASA configuration which had a special rule allowing only specific IP's access to the internet and this rule was visible only under ACL manager (Configuration-Firewall-Advanced-ACL Manager). So this lead to a confusion in my head and I wanted to know the difference between the two.

Regards

1 person had this problem
Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
m.kafka
Level 4
Level 4
In response to Sundeep Dsouza

‎02-06-2011 03:40 PM

Dear Sundeep

your screenshot doesn't show us everything but what I can see is an access-control-entry with a sequence number 1, which implies it's a separate access-list (possibly not used on an interface, i can't see that from the screenshot).

You have to understand, that access-lists can exist on their own, without being applied as a traffic filter on an interface. These access-lists can be configured in the section you showed us: the ACL-manager.

The access-rules in the firewall configuration are different: they are a combination of an access-list and an access-group command, used as a filter on an interface.

Best practice is to configure access-rules under the firewall configuration and not within the ACL-manager. Advantages are extensive filter capabilities of the firewall configuration, you can even build queries that precisely show you what you want to see (if you have a current asdm).

Hope that helps, MiKa

View solution in original post

0 Helpful

Go to solution
m.kafka
Level 4
Level 4
In response to Sundeep Dsouza

‎02-06-2011 10:54 PM

Hi Sundeep

CSCOxxxxxxxx wrote:   ???? are you using your testing ID as a login/user-ID? You shouldn't do that, according to the policies and "terms of use" maybe it's a bug in the discussion board software and that CSCO-string should never have shown up... (i have obfuscated the actual number)
Forgot to ask you one last question. You mentioned that Access list can exist on their own right, agree, but dont you have to apply an access-list to an interface and also the direction in or out? Or in the ASA world it does not matter whether or not you have tied it to an interface.
Regards

Access-lists can be used for other purposes than filtering e.g. selecting traffic for QoS or VPN, defining class maps for inspection etc... etc... in that case the acl isn't used with an "access-group" statement but something like "match address" depending on the command and syntax

for these purposes the ACL-manager might be handy...

Rgds,

MiKa

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎02-06-2011 02:23 AM

There are always 2 places where you can configure access rules:

1) Under "Configuration-Firewall-Access Rule" section, this section is only for all the access rules applied to the ASA interfaces --> firewall rules.

2) Under "Configuration-Firewall-Advanced-ACL Manager" section, this includes all types of access-list that can be applied to different sections of the configuration, ie: firewall rules, crypto ACL for VPN, split tunnel ACL, class map matching ACL, vpn filter ACL, etc.

Hope that answers your questions.

0 Helpful

Go to solution
Sundeep Dsouza
Level 1
Level 1
In response to Jennifer Halim

‎02-06-2011 03:10 AM

Thanks for the input. Kindly check the attached file. The screenshot has an image which displays a access rule under ACL manager. This same rule is not visible under Configuration-Firewall-Access rule area. It should have also been displayed under Inside (Incoming rules).So does this rule mean that IP addresses under object "Special-access" have access to all interface. Whats the purpose for someone to add an access rule under ACL manager when one can do the same under Configuration-Firewall-Access rules section.

Correct me if I am wrong, suppose if I want to create a rule where a computer residing on the internal LAN wants to communicate with DMZ and Outside, I would create this under ACL Manager without specifying Inside or outside. I would use Configuration-Firewall-Access rule option only if I want to allow the same computer communicate with one interface and not the other. Is this explanation correct?

Regards

Preview file
159 KB
0 Helpful

Go to solution
m.kafka
Level 4
Level 4
In response to Sundeep Dsouza

‎02-06-2011 03:40 PM

Dear Sundeep

your screenshot doesn't show us everything but what I can see is an access-control-entry with a sequence number 1, which implies it's a separate access-list (possibly not used on an interface, i can't see that from the screenshot).

You have to understand, that access-lists can exist on their own, without being applied as a traffic filter on an interface. These access-lists can be configured in the section you showed us: the ACL-manager.

The access-rules in the firewall configuration are different: they are a combination of an access-list and an access-group command, used as a filter on an interface.

Best practice is to configure access-rules under the firewall configuration and not within the ACL-manager. Advantages are extensive filter capabilities of the firewall configuration, you can even build queries that precisely show you what you want to see (if you have a current asdm).

Hope that helps, MiKa

0 Helpful

Go to solution
Sundeep Dsouza
Level 1
Level 1
In response to m.kafka

‎02-06-2011 09:08 PM

I have always created Access rules through the Configuration-Firewall-Acess rule option and this is the reason why I got confused when I saw an access rule under ACL manager. Anyways thanks for the clarification and appreciate your time.

Regards

0 Helpful

Go to solution
Sundeep Dsouza
Level 1
Level 1
In response to m.kafka

‎02-06-2011 09:12 PM

Forgot to ask you one last question. You mentioned that Access list can exist on their own right, agree, but dont you have to apply an access-list to an interface and also the direction in or out? Or in the ASA world it does not matter whether or not you have tied it to an interface.

Regards

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to Sundeep Dsouza

‎02-06-2011 09:16 PM

Yes, you will have to apply the access-list in the "in" or "out" direction for the firewall rules, otherwise, the firewall rules will not take affect until you actually apply it to an interface.

Go to solution
m.kafka
Level 4
Level 4
In response to Sundeep Dsouza

‎02-06-2011 10:54 PM

Hi Sundeep

CSCOxxxxxxxx wrote:   ???? are you using your testing ID as a login/user-ID? You shouldn't do that, according to the policies and "terms of use" maybe it's a bug in the discussion board software and that CSCO-string should never have shown up... (i have obfuscated the actual number)
Forgot to ask you one last question. You mentioned that Access list can exist on their own right, agree, but dont you have to apply an access-list to an interface and also the direction in or out? Or in the ASA world it does not matter whether or not you have tied it to an interface.
Regards

Access-lists can be used for other purposes than filtering e.g. selecting traffic for QoS or VPN, defining class maps for inspection etc... etc... in that case the acl isn't used with an "access-group" statement but something like "match address" depending on the command and syntax

for these purposes the ACL-manager might be handy...

Rgds,

MiKa

0 Helpful

Go to solution
Sundeep Dsouza
Level 1
Level 1
In response to m.kafka

‎02-07-2011 01:12 AM

Ok everythings clear now. This access list "Special-Access" is applied to a nat statement nat (inside) 1 access-list 5. This is the reason why I was able to see this access entry only under ACL manager.

Thanks to you and Jennifer Halim for helping me out.

Regards

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card