Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
461
Views
0
Helpful
3
Replies

Very simple ACL question

billmatthews
Level 1
Level 1

‎01-24-2012 06:40 AM - edited ‎03-11-2019 03:18 PM

I am looking over a config of an old ASA5520.  One network has this ACL applied:

access-list acl_dmztest extended permit icmp any any

access-list acl_dmztest extended permit ip any any

access-list acl_dmztest extended permit tcp host 10.10.10.10 host 10.20.20.20 eq http

Isn't that last statement unneccessary?  Would there ever be a valid reason for doing it like that?  I'm thinking maybe for logging/rule tracking?  Anything else?

Thanks

Bill

Labels:
0 Helpful
3 Replies 3

ajay chauhan
Level 7
Level 7

‎01-24-2012 06:52 AM

Hi Bill,

There is a simple rule to put ACL on ASA/PIX. Just remember from Lower Security Level to Higher security level implicit deny is  there so to allow this communication you will have to configure ACL to allow specific .

From higher to lower is always allowed no rules required untill unless you want to block some traffic.So cofiguring deny would be good option.

Outside default security level is = 0

Inside Default Security level = 100

DMZ can be anything =0 to 100

Hope this help.

Thanks

Ajay

0 Helpful

billmatthews
Level 1
Level 1
In response to ajay chauhan

‎01-24-2012 07:08 AM

Hi Thanks Ajay,

I understand that.  But if line#2 permits ip any, then why would you need line#3 ?

0 Helpful

ajay chauhan
Level 7
Level 7
In response to billmatthews

‎01-24-2012 07:10 AM

If permit any any then 3rd not required.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card