Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
818
Views
0
Helpful
1
Replies

ASA duplicating rules to Global when applying to Outside Interface

Topologist
Level 1
Level 1

‎08-07-2019 03:59 AM - edited ‎08-07-2019 04:06 AM

Hello All

Cisco ASA 5545

ASA Version: 9.8(2)28

ASDM Version: 7.9(2)152

We are having some issues with the ASA FW access rules. We had major network issues yesterday and to eliminate the factors, we added permit any/any for outside interface and global to rule out the FW issue. It turned out that the ASA FW wasn’t at fault but something else was.

However this morning when had a look, permit Any/Any rule removed the rest of the rules from outside interface. We realised that we were to add any/any rule in a certain line number. Rules are still present in the ACL Manager however not in the interface.

I started manually attaching the rules to the interface but realised that FW is also applying the similar rules to Global interface which is not desired. I have tried creating a new rule, copying a rule from another interface to outside interface but FW apply the same rule to outside and global interfaces. I tried deleting a rule from Global which also deletes from Outside Interface as well and vise versa.

Is there a way that we can move Access Rules from ACL Manager to Outside Interface?

5545X-ASA# sh resource usage
Resource Current Peak Limit Denied Context
SSH Server 1 2 5 0 CTX-SVRS
ASDM 3 5 5 0 CTX-SVRS
Syslogs [rate] 1171 22629 unlimited 0 CTX-SVRS
Conns 25608 86188 unlimited 0 CTX-SVRS
Hosts 5832 8882 unlimited 0 CTX-SVRS
Conns [rate] 356 6018 unlimited 0 CTX-SVRS
Inspects [rate] 103 3637 unlimited 0 CTX-SVRS
Routes 25 25 unlimited 0 CTX-SVRS
Syslogs [rate] 0 72 unlimited 0 Legacy-LAN333

_______________________________________

5545X-ASA# show inventory
Name: "Chassis", DESCR: "ASA 5545-X with SW, 8 GE Data, 1 GE Mgmt"
PID: ASA5545 , VID: V05 , SN: FTX2130W1LE

Name: "power supply 0", DESCR: "ASA 5545-X/5555-X AC Power Supply"
PID: ASA-PWR-AC , VID: N/A , SN: 75N1B7

Name: "power supply 1", DESCR: "ASA 5545-X/5555-X AC Power Supply"
PID: ASA-PWR-AC , VID: N/A , SN: 3871LL

_________________________________________________________

 

Labels:
0 Helpful
1 Reply 1

Mike.Cifelli
VIP Alumni
VIP Alumni

‎08-08-2019 12:44 PM

For clarification:
The ACL manager should be used only when you want to apply an ACL to be applied to interesting traffic for something like a redirect acl for an access portal, etc.
When you want to apply ACLs to interfaces do it under Configuration->Firewall->Access Rules if using ASDM and assign accordingly to the respective interface. This will filter incoming/outgoing traffic.

Good luck & HTH!
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents