cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1746
Views
0
Helpful
1
Comments
TCC_2
Level 10
Level 10

Core issue

One of the reasons that this problem can occur is due to the incorrect order of access-lists. The PIX/ASA applies the access rules, which depends on the order.

Resolution

In order to allow traffic to pass through the PIX/ASA, you can create access-lists and apply them to a specific interface with the help of the access-groups command.

  • Access-lists are executed in a top-to-down fashion.

  • Access-lists can be given preference with the help of access-list line number.

  • The correct order of access-lists applied on an interface is also essential as the traffic can be interrupted due to incorrect sequence.

  • You can put all the permit statements first and then set the access-lists to deny undesired traffic.
Comments
mikecrowe4ICS_2
Level 1
Level 1

You can put all the permit statements first and then set the access-lists to deny

Actually, any access-list on an ASA/PIX/FWSM, or in IOS, already includes an implicit deny at the end of the list.  This will deny any traffic not already permitted in previous rules.  Of course, unless you've added "permit ip any any" to the end of the ACL.

You only need to add a final deny statement if you want to log denied traffic.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: