Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
808
Views
0
Helpful
6
Replies

Active and applied ACL's in ASA 5520

ttrevino1
Level 1
Level 1

‎05-16-2007 12:30 PM - edited ‎03-11-2019 03:15 AM

I'm cleaning up an old PIX network config, which was transferred to a new ASA 5520 w/IPS. My question is how to determine what acl's are currently being used? I have 3 that are named: INSIDE, inside, & inside_acl, along with several others which I've listed below. However, I only see 2 access-group statements, inside and outside, both lowercase.

I thought acl's had to be applied to an interface to be active? Does spelling case matter, upper or lower?

How can I tell if these others are actually in use?

Can an acl be applied to something other than an interface, such as a crpto map?

Thanks, T

ACL's:

inside

INSIDE

inside_acl

outside

IPS

NONAT

80

81

85

101

outside_cryptomap_57_1

ftpmatch

Split_Tunnel

ipsec_tunnel_cp

access-group inside in interface Inside

access-group outside in interface Outside

Labels:
0 Helpful
6 Replies 6

acomiskey
Level 10
Level 10

‎05-16-2007 12:35 PM

Yes, acl names are case sensitive. Also, they can be used for other things, like crypto acl's for vpn as you mentioned, for nat, for split tunnel etc, and many other things. Look through your config, if you see the acl name somewhere else in the config then it is probably being used for something.

For example, you probably have something like this for vpn nat exemption..

nat (inside) 0 access-list NONAT

0 Helpful

ttrevino1
Level 1
Level 1
In response to acomiskey

‎05-16-2007 12:40 PM

This is all I have for nat statements:

nat (Inside) 0 access-list 80

nat (Inside) 1 105.105.1.0 255.255.255.0

nat (Inside) 1 10.0.0.0 255.0.0.0

nat (Outside) 1 10.99.1.0 255.255.255.0 dns

This last one if for VPN, but it doesn't apply to the NONAT acl, right?

0 Helpful

acomiskey
Level 10
Level 10
In response to ttrevino1

‎05-16-2007 12:41 PM

If NONAT is nowhere else in the config then it is not being used. But according to what you just posted, "80" is being used.

0 Helpful

ttrevino1
Level 1
Level 1
In response to acomiskey

‎05-16-2007 12:44 PM

Because there is a nat statement for 80, correct? So it seems there are a lot of other acl's in this list that aren't being used, unless there is something else in the config that references the name of the acl?

0 Helpful

acomiskey
Level 10
Level 10
In response to ttrevino1

‎05-16-2007 12:46 PM

Yes, acl 80 is used because of

nat (Inside) 0 access-list 80

Yes, there very well could be something else in the config which references the other acls.

Do you have the entire config?

0 Helpful

ttrevino1
Level 1
Level 1
In response to acomiskey

‎05-16-2007 12:56 PM

I do, however, it's sooooo long with the "inside" acl's would fill up this site! LOL. The previous person used these acl's to block IP addresses, as a sort of content filtering device, which is why I'm trying clean up pages and pages of configs.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card