Using "interface" as parameter in ASA ACL

Unanswered Question
Aug 4th, 2009

I have seen in a manual that you can use "interface (interface name)" as the source/destination in an ACL on the ASA. When would you do this? What exactly does it buy you i.e. what does it really give access to?


access-list dmz permit tcp interface dmz host eq http

What is actually getting access to on port 80?


Joel G.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
suschoud Tue, 08/04/2009 - 15:43


Let me give u a complete example :

You have a server on inside of f/w which ppl need to access from outside.

you wnat to use f/w outside interface public ip address for this purpose.

as you cannot map the outside interface ip to an internal server,you would need a static pat command.let's assume it's a web server.

static (inside,outside) tcp interface 80 80

inside server's actual ip :

now,along with this static pat,you would need to allow port 80 specifically for " any " source and interface ip address as destination.

in this case,rather then mentioning interface ip add. in acl,use the interface keyword.

access-l outside_in permit tcp any interface outside eq 80

acecss-g outside_in in inter outside.




jogillis Wed, 08/05/2009 - 11:51

Thank You. That example with "interface as the destination I understand, but where would you use the "interface" parameter as the source such as on a dmz.


access-list DMZ-to-Lan permit tcp interface dmz 10.x.x.x eq ldap



John Blakley Wed, 08/05/2009 - 12:22


Actually, it's the same concept. When you have a public address that can change, but you host a web server on the inside, your outside acl needs to allow someone into that address. You don't want to change the address each time your address changes, so you use the interface keyword instead of an address:

static (inside,outside) interface

access-list outside permit tcp any interface eq 80



suschoud Wed, 08/05/2009 - 12:24

m notsure why u would need an acl where source is interface.

the interface initiated traffic is mostly management traffic and we do not restrict it using acl's.acl's are used for traffic passing THROUGH the f/w,not TO or FROM it.

i have never come across a situation wherein source is specified as interface ip.....

jogillis Wed, 08/05/2009 - 12:33

Thank everyone for the examples. I understand why you would use this as the destination especially if you were using DSL where the outside interface could change. But using it as the source still has me stumped. The reason I ask it that we are moving a DMZ from one company to ours and the access-list for their dmz has such statements in it.

Joel G.

suschoud Wed, 08/05/2009 - 12:36

m pretty sure there won 't be any hitcounts on that acl.


sh access-l

John Blakley Wed, 08/05/2009 - 12:55

According to your example,

access-list DMZ-to-Lan permit tcp interface dmz 10.x.x.x eq ldap

Are there any security restrictions on the ldap server that require traffic to come from the address that's assigned to the dmz interface? It *might* be an ldap security thing where they didn't want everything in the dmz talking to it OR they are making requests on behalf of everything in the dmz? Just a thought.




This Discussion