Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
837
Views
0
Helpful
4
Replies

Thoroughly Confused with ADSM created access-lists when viewing ASA config

paulbatte
Level 1
Level 1

‎05-09-2012 11:44 AM - edited ‎03-11-2019 04:04 PM

Background:

I am trying to unravel a ASA 5550 config that has been created over several years, by multiple people, some who used ADSM, some who used CLI.

None of them ever removed any lines from the configuration, and none did any documentation.

I have several basic questions, which show my ignorance.

When examining the actual configuration from a CLI perspective:

1. Does an ADSM-created access list end with any specific ADSM-added suffix?

2. When ANY access list is created in an ASA 5550, does it HAVE to be included in the access-group command to be functional? Can it also be functional if referenced in a "nat" command?

3. If the access list does meet either of the criteria specified in question #2, is it completely non-functional?

4. If an access list is applied to a logical or physical port that is shut down, is the access list functional?

Labels:
0 Helpful
4 Replies 4

frederic_hohn
Level 1
Level 1

‎05-09-2012 01:26 PM

The access list will have a standard name if created with asdm, but an acess list or it's statements have no suffix when created with asdm.

Access lists dont have to be included in the access-groups!

They are also used to define the interesting traffic for vpn's, class maps or for debugging with captures for example.

The Lists should have descriptive names to understand their purposes. Anyway, look where they are referenced in the configuration before deleting or editing.

acls cannot be used i nat commands, you need objects for the nat statements.

If the acl is bound to a shutdown interface, it can be still used at another place, so verify again where it is used in your configuration.

0 Helpful

varrao
Level 10
Level 10
In response to frederic_hohn

‎05-09-2012 01:38 PM

Hi Paul,

1. If you create an access-list with the ASDM, lets say you select Inside on the drop down menu, then the ASDM would create an access-list by the name "Inside_access_in", and you need to enable it by checking the box, have a look at the two screenshots.

2. Access-list is used for many purposes, please go through the doc below carefully to undersatnd the usage:

    http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/acl_overview.html

3. The doc would answer this as well.

4. If the port is down, the access-list would never work, since the packets would never be processed.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao
Preview file
1226 KB
0 Helpful

varrao
Level 10
Level 10
In response to varrao

‎05-09-2012 01:41 PM

Another feature that might be very helpful to you would be the preview command feature:

Go to Tools--->Preferences---->Select the option "Preview commands before sending them to the box"

This would show you what all commands are being used, when you check any box, when you click on the apply button, so that you are aware of the CLI config as well.

Hope that helps,

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao
0 Helpful

paulbatte
Level 1
Level 1
In response to varrao

‎05-10-2012 06:19 AM

Actually, I don't think I ever made myself clear.

I am working with a hard copy of the CLI.

I have no acccess to the devices to run any commands, nor access to the ADSM.

I have to get someone with access to the devices to get the CLI based config, or run any show commands for me.

As stated before, it has been built and rebuilt by different people, some using CLI, some using ADSM, but no one ever cleaned up code or documented.

I have probably 10-15 different access lists in this config.

Some look to be affiliated with specific ports. Some of these ports are up, some down.

I have the same rule sets appearing in 3 separate access lists, in some cases.

Of course, each of these 3 access lists is slightly different.

Here is the worst example I have to deal with, and hence why I need to know if an access-list can be active WITHOUT being defined in the access-group command AND AT THE SAME time NOT affiliated with a port.

An example:

3 access lists:

Prmary_Public_access_in

Primary_Public_access_in_tmp

Arin_Primary_Public_access_in

Primary_Public_access_in_tmp is associated with the Primary_Public interface, since it is defined in an access-group command.

Arin_Public_Primary_access_in is associated with a logical port that is shutdown.

Primary_Public_access_in does not appear to be directly associated with any one port

So are Arin_Public_Primary_access_in and Primary_Public_access_in access lists that being referenced to manage traffic?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card