cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
365
Views
0
Helpful
2
Replies

Order of ACLs in PIX config

maileym01
Level 1
Level 1

Hi,

until recently the order of access lists in our PIX config was:

names

acl_outside

acl_dmz

acl_inside

acl nat0

acl crypto maps

static mappings

isakmps

Recently, while editing access-list acl_inside I entered no access-list acl_inside which removed all the acl_inside lines.

I added all these back in but now the order of the access lists has changed and I notice that no rules in acl_inside are been processed as the hit counters are all 0. So I guess no outgoing traffic is being filtered.

The order now is:

names

acl_outside

acl_dmz

acl nat0

acl crypto maps

acl_inside

static mappings

isakmps

How can I revert to the previous order of acls in the pix config?

Why would none of the acl_inside rules now be processed?

Thanks in advance

Marty

2 Replies 2

mj11
Level 3
Level 3

Hi Marty

The order of the access-list are only applicable within the group I.e acl_inside. Could you make sure you have the ACL aplied to the correct interface in the correct direction, is this causing you problems?

Regards MJ

timkaye
Level 1
Level 1

Hello.

My understanding is traffic from the inside to lower security interfaces does not require the access-list and access-group command.

That said removing an entire acl removers the access-group command.

apply

access-group acl_inside in interface inside.

I'm not sure if the same applies for other interfaces wishing to access lower security interfaces.

You can consider yourself lucky :)

Tim

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: