Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
629
Views
0
Helpful
2
Replies

ASA Access Lists

BHconsultants88
Level 1
Level 1

‎07-19-2017 01:09 PM - edited ‎03-05-2019 08:52 AM

Hi guys

Really hope someone can help with this, it's driving me up the wall. I have an ASA with a number of ACL's configured (examples below):

access-list Inside_nat0_outbound extended permit ip 10.154.246.0 255.255.254.0 object-group All_HQ_VPN_Protected_Networks
access-list Outside_20_cryptomap remark This rule protects traffic destined for HQ's internal private networks.
access-list Outside_20_cryptomap extended permit ip object-group BLADEInternal object-group All_HQ_VPN_Protected_Networks
access-list Inside_access_in extended permit ip object-group BLADEInternal object-group DM_INLINE_NETWORK_5
access-list Outside_access_in extended permit tcp object data.meetingmatrix.com 10.154.246.0 255.255.254.0 object-group WebServices

I need to deny Internet traffic temporarily. When I add a firewall rule on the ASDM gui, it shows on command line like this:

access-list Inside_nat0_outbound extended permit ip 10.154.246.0 255.255.254.0 object-group All_HQ_VPN_Protected_Networks
access-list Outside_20_cryptomap remark This rule protects traffic destined for HQ's internal private networks.
access-list Outside_20_cryptomap extended permit ip object-group BLADEInternal object-group All_HQ_VPN_Protected_Networks
access-list Inside_access_in extended permit ip object-group BLADEInternal object-group DM_INLINE_NETWORK_5
access-list Outside_access_in extended permit tcp object data.meetingmatrix.com 10.154.246.0 255.255.254.0 object-group WebServices
access-list Inside_access_in_1 extended deny ip any any

Two questions:

  1. why does the deny rule appear on interface Inside_access_in_1 (what does the _1 represent?)
  2. Can I apply this deny rule on Access List, not on the firewall?

Thank you

Labels:
0 Helpful
2 Replies 2

johnd2310
Level 8
Level 8

‎07-19-2017 05:09 PM

Hi,

When creating the access-list rule, you need to choose the access-list you are adding the rule to. You probably just chose the interfaces and the firewall created a new access-list for you.Inside_access_in_1 is probably an access-list the firewall created for you.

If the access-list for your Internet traffic is  Outside_access_in, then you will need to choose this access-list in asdm and apply the deny rule to this access-list.

Thanks

John

**Please rate posts you find helpful**
0 Helpful

BHconsultants88
Level 1
Level 1
In response to johnd2310

‎07-19-2017 09:44 PM

Ok thanks for the reply.


So would I have to always have the deny rule in the firewall. Would it be the same thing if I added it to the ACL manager?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card