05-16-2007 12:30 PM - edited 03-11-2019 03:15 AM
I'm cleaning up an old PIX network config, which was transferred to a new ASA 5520 w/IPS. My question is how to determine what acl's are currently being used? I have 3 that are named: INSIDE, inside, & inside_acl, along with several others which I've listed below. However, I only see 2 access-group statements, inside and outside, both lowercase.
I thought acl's had to be applied to an interface to be active? Does spelling case matter, upper or lower?
How can I tell if these others are actually in use?
Can an acl be applied to something other than an interface, such as a crpto map?
Thanks, T
ACL's:
inside
INSIDE
inside_acl
outside
IPS
NONAT
80
81
85
101
outside_cryptomap_57_1
ftpmatch
Split_Tunnel
ipsec_tunnel_cp
access-group inside in interface Inside
access-group outside in interface Outside
05-16-2007 12:35 PM
Yes, acl names are case sensitive. Also, they can be used for other things, like crypto acl's for vpn as you mentioned, for nat, for split tunnel etc, and many other things. Look through your config, if you see the acl name somewhere else in the config then it is probably being used for something.
For example, you probably have something like this for vpn nat exemption..
nat (inside) 0 access-list NONAT
05-16-2007 12:40 PM
This is all I have for nat statements:
nat (Inside) 0 access-list 80
nat (Inside) 1 105.105.1.0 255.255.255.0
nat (Inside) 1 10.0.0.0 255.0.0.0
nat (Outside) 1 10.99.1.0 255.255.255.0 dns
This last one if for VPN, but it doesn't apply to the NONAT acl, right?
05-16-2007 12:41 PM
If NONAT is nowhere else in the config then it is not being used. But according to what you just posted, "80" is being used.
05-16-2007 12:44 PM
Because there is a nat statement for 80, correct? So it seems there are a lot of other acl's in this list that aren't being used, unless there is something else in the config that references the name of the acl?
05-16-2007 12:46 PM
Yes, acl 80 is used because of
nat (Inside) 0 access-list 80
Yes, there very well could be something else in the config which references the other acls.
Do you have the entire config?
05-16-2007 12:56 PM
I do, however, it's sooooo long with the "inside" acl's would fill up this site! LOL. The previous person used these acl's to block IP addresses, as a sort of content filtering device, which is why I'm trying clean up pages and pages of configs.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: