02-05-2011 10:12 PM - edited 03-11-2019 12:45 PM
Greetings,
It has been quite some time since I got my CCSP certification. As per my understanding, any kind of access allowed or denied is done and visible under the Configuration-Firewall-Access Rule section. However, recently I came across a Cisco ASA configuration which had a special rule allowing only specific IP's access to the internet and this rule was visible only under ACL manager (Configuration-Firewall-Advanced-ACL Manager). So this lead to a confusion in my head and I wanted to know the difference between the two.
Regards
Solved! Go to Solution.
02-06-2011 03:40 PM
Dear Sundeep
your screenshot doesn't show us everything but what I can see is an access-control-entry with a sequence number 1, which implies it's a separate access-list (possibly not used on an interface, i can't see that from the screenshot).
You have to understand, that access-lists can exist on their own, without being applied as a traffic filter on an interface. These access-lists can be configured in the section you showed us: the ACL-manager.
The access-rules in the firewall configuration are different: they are a combination of an access-list and an access-group command, used as a filter on an interface.
Best practice is to configure access-rules under the firewall configuration and not within the ACL-manager. Advantages are extensive filter capabilities of the firewall configuration, you can even build queries that precisely show you what you want to see (if you have a current asdm).
Hope that helps, MiKa
02-06-2011 10:54 PM
Hi Sundeep
CSCOxxxxxxxx wrote: ???? are you using your testing ID as a login/user-ID? You shouldn't do that, according to the policies and "terms of use" maybe it's a bug in the discussion board software and that CSCO-string should never have shown up... (i have obfuscated the actual number)
Forgot to ask you one last question. You mentioned that Access list can exist on their own right, agree, but dont you have to apply an access-list to an interface and also the direction in or out? Or in the ASA world it does not matter whether or not you have tied it to an interface.
Regards
Access-lists can be used for other purposes than filtering e.g. selecting traffic for QoS or VPN, defining class maps for inspection etc... etc... in that case the acl isn't used with an "access-group" statement but something like "match address" depending on the command and syntax
for these purposes the ACL-manager might be handy...
Rgds,
MiKa
02-06-2011 02:23 AM
There are always 2 places where you can configure access rules:
1) Under "Configuration-Firewall-Access Rule" section, this section is only for all the access rules applied to the ASA interfaces --> firewall rules.
2) Under "Configuration-Firewall-Advanced-ACL Manager" section, this includes all types of access-list that can be applied to different sections of the configuration, ie: firewall rules, crypto ACL for VPN, split tunnel ACL, class map matching ACL, vpn filter ACL, etc.
Hope that answers your questions.
02-06-2011 03:10 AM
Thanks for the input. Kindly check the attached file. The screenshot has an image which displays a access rule under ACL manager. This same rule is not visible under Configuration-Firewall-Access rule area. It should have also been displayed under Inside (Incoming rules).So does this rule mean that IP addresses under object "Special-access" have access to all interface. Whats the purpose for someone to add an access rule under ACL manager when one can do the same under Configuration-Firewall-Access rules section.
Correct me if I am wrong, suppose if I want to create a rule where a computer residing on the internal LAN wants to communicate with DMZ and Outside, I would create this under ACL Manager without specifying Inside or outside. I would use Configuration-Firewall-Access rule option only if I want to allow the same computer communicate with one interface and not the other. Is this explanation correct?
Regards
02-06-2011 03:40 PM
Dear Sundeep
your screenshot doesn't show us everything but what I can see is an access-control-entry with a sequence number 1, which implies it's a separate access-list (possibly not used on an interface, i can't see that from the screenshot).
You have to understand, that access-lists can exist on their own, without being applied as a traffic filter on an interface. These access-lists can be configured in the section you showed us: the ACL-manager.
The access-rules in the firewall configuration are different: they are a combination of an access-list and an access-group command, used as a filter on an interface.
Best practice is to configure access-rules under the firewall configuration and not within the ACL-manager. Advantages are extensive filter capabilities of the firewall configuration, you can even build queries that precisely show you what you want to see (if you have a current asdm).
Hope that helps, MiKa
02-06-2011 09:08 PM
I have always created Access rules through the Configuration-Firewall-Acess rule option and this is the reason why I got confused when I saw an access rule under ACL manager. Anyways thanks for the clarification and appreciate your time.
Regards
02-06-2011 09:12 PM
Forgot to ask you one last question. You mentioned that Access list can exist on their own right, agree, but dont you have to apply an access-list to an interface and also the direction in or out? Or in the ASA world it does not matter whether or not you have tied it to an interface.
Regards
02-06-2011 09:16 PM
Yes, you will have to apply the access-list in the "in" or "out" direction for the firewall rules, otherwise, the firewall rules will not take affect until you actually apply it to an interface.
02-06-2011 10:54 PM
Hi Sundeep
CSCOxxxxxxxx wrote: ???? are you using your testing ID as a login/user-ID? You shouldn't do that, according to the policies and "terms of use" maybe it's a bug in the discussion board software and that CSCO-string should never have shown up... (i have obfuscated the actual number)
Forgot to ask you one last question. You mentioned that Access list can exist on their own right, agree, but dont you have to apply an access-list to an interface and also the direction in or out? Or in the ASA world it does not matter whether or not you have tied it to an interface.
Regards
Access-lists can be used for other purposes than filtering e.g. selecting traffic for QoS or VPN, defining class maps for inspection etc... etc... in that case the acl isn't used with an "access-group" statement but something like "match address" depending on the command and syntax
for these purposes the ACL-manager might be handy...
Rgds,
MiKa
02-07-2011 01:12 AM
Ok everythings clear now. This access list "Special-Access" is applied to a nat statement nat (inside) 1 access-list 5. This is the reason why I was able to see this access entry only under ACL manager.
Thanks to you and Jennifer Halim for helping me out.
Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide