Active and applied ACL's in ASA 5520

Unanswered Question
May 16th, 2007

I'm cleaning up an old PIX network config, which was transferred to a new ASA 5520 w/IPS. My question is how to determine what acl's are currently being used? I have 3 that are named: INSIDE, inside, & inside_acl, along with several others which I've listed below. However, I only see 2 access-group statements, inside and outside, both lowercase.

I thought acl's had to be applied to an interface to be active? Does spelling case matter, upper or lower?

How can I tell if these others are actually in use?

Can an acl be applied to something other than an interface, such as a crpto map?

Thanks, T
















access-group inside in interface Inside

access-group outside in interface Outside

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
acomiskey Wed, 05/16/2007 - 12:35

Yes, acl names are case sensitive. Also, they can be used for other things, like crypto acl's for vpn as you mentioned, for nat, for split tunnel etc, and many other things. Look through your config, if you see the acl name somewhere else in the config then it is probably being used for something.

For example, you probably have something like this for vpn nat exemption..

nat (inside) 0 access-list NONAT

ttrevino1 Wed, 05/16/2007 - 12:40

This is all I have for nat statements:

nat (Inside) 0 access-list 80

nat (Inside) 1

nat (Inside) 1

nat (Outside) 1 dns

This last one if for VPN, but it doesn't apply to the NONAT acl, right?

acomiskey Wed, 05/16/2007 - 12:41

If NONAT is nowhere else in the config then it is not being used. But according to what you just posted, "80" is being used.

ttrevino1 Wed, 05/16/2007 - 12:44

Because there is a nat statement for 80, correct? So it seems there are a lot of other acl's in this list that aren't being used, unless there is something else in the config that references the name of the acl?

acomiskey Wed, 05/16/2007 - 12:46

Yes, acl 80 is used because of

nat (Inside) 0 access-list 80

Yes, there very well could be something else in the config which references the other acls.

Do you have the entire config?

ttrevino1 Wed, 05/16/2007 - 12:56

I do, however, it's sooooo long with the "inside" acl's would fill up this site! LOL. The previous person used these acl's to block IP addresses, as a sort of content filtering device, which is why I'm trying clean up pages and pages of configs.


This Discussion