12-10-2007 02:10 PM - edited 02-21-2020 01:49 AM
Hi,
until recently the order of access lists in our PIX config was:
names
acl_outside
acl_dmz
acl_inside
acl nat0
acl crypto maps
static mappings
isakmps
Recently, while editing access-list acl_inside I entered no access-list acl_inside which removed all the acl_inside lines.
I added all these back in but now the order of the access lists has changed and I notice that no rules in acl_inside are been processed as the hit counters are all 0. So I guess no outgoing traffic is being filtered.
The order now is:
names
acl_outside
acl_dmz
acl nat0
acl crypto maps
acl_inside
static mappings
isakmps
How can I revert to the previous order of acls in the pix config?
Why would none of the acl_inside rules now be processed?
Thanks in advance
Marty
12-10-2007 03:44 PM
Hi Marty
The order of the access-list are only applicable within the group I.e acl_inside. Could you make sure you have the ACL aplied to the correct interface in the correct direction, is this causing you problems?
Regards MJ
12-10-2007 10:48 PM
Hello.
My understanding is traffic from the inside to lower security interfaces does not require the access-list and access-group command.
That said removing an entire acl removers the access-group command.
apply
access-group acl_inside in interface inside.
I'm not sure if the same applies for other interfaces wishing to access lower security interfaces.
You can consider yourself lucky :)
Tim
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: