Cisco ASA 5500 NSEL Ingress and Egress ACL's

Unanswered Question
Nov 13th, 2009

Traffic across firewalls passes through the access rules. In PIX devices, single ACL is matched to a traffic, whereas in Cisco ASA 5500, traffic is matched to two ACL's (ingress and egress ACL). I have come across these in the below Cisco NSEL document

http://www.cisco.com/en/US/docs/security/asa/asa82/netflow/netflow.html#wp1028790

Why do we need this? Can anyone explain me or redirect me to some document that throws some lights on these.

Thanks

Nathan

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Fri, 11/13/2009 - 03:50

Nathan

Not strictly accurate. Pix v6.x and before did not support outbound acls on an interface. However Pix v7.x and onwards does support outbound acls so both the ASA and Pix (v7.x onwards) support both outbound and inbound acls.

When to use outbound acls really depends on your requirements. Most times you can use inbound acls but outbound can be useful in certain situations.

Jon

Actions

This Discussion