ASDM versus CLI - named access-list etc

Unanswered Question
Jan 31st, 2008
User Badges:

I'm a CLI junkie now using ASDM v5.2(3) on ASA55x0. Where are the named access-lists I'm used to working with in PIX 6.3(x) CLI? I want to continue to create my named access-lists so I and my colleagues can continue to use our standard templates for configuration tasks. I'm not interested in the ones created automatically such as "access-list in_out-back_forth-UpDown-interfaceSomeWhere0.1". These only confuse my staff when trynig to complete config tasks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
acomiskey Thu, 01/31/2008 - 07:35
User Badges:
  • Green, 3000 points or more

As far as I know the names of the acl's are not displayed in Config -> Firewall -> Security Policy, but the names are displayed in the "Acl Manager". Not sure how to get to this in asdm 5, I think one way is through VPN -> Group Policy-> Client Configuration-> Split Tunnel -> Manage (ACL List)


Phil Williamson Thu, 01/31/2008 - 08:05
User Badges:

Adam - yes you are correct - strange that they have to be accessed via Split Tunnel Network List, but so be it. I can now create a named ACL with our standardized names, but how do I reference it by name later when applying to some policy?


Typically one might have:

access-list AllowInbound

permit icmp any interface outside echo-reply

permit icmp any interface outside unreachable

permit icmp any interface outside time-exceeded

!

access-group AllowInbound in interface outside

!

Thx - Phil

acomiskey Thu, 01/31/2008 - 08:11
User Badges:
  • Green, 3000 points or more

Once the acl "AllowInbound" is created you can still edit/add to it in the Config -> Firewall -> Security Policy page.


Although it is not referenced by the name "AllowInbound", you will notice that the regular security policy page references the acl's by which interface they are assigned to and which direction. Therefore in the above example, you can edit the rules under the heading "outside (# incoming rules)".

Phil Williamson Thu, 01/31/2008 - 08:25
User Badges:

Adam - thx for the help. I will have to rethink the use of ASDM for initial config by our techs. We have standardized templates that they copy/paste into the CLI. The ASDM is nice, but it tends to hide too much and to me at least makes it difficult to config the device the way I need to.

Actions

This Discussion