ASA Access-group

Answered Question
Jan 20th, 2010

Hi All,

For ASA, is there any standard or a need of having a in and out access-group for each inside or outside interface, or is it base on situation and requirement?

Regards,

Lawrence

I have this problem too.
0 votes
Correct Answer by Kureli Sankar about 7 years 3 days ago

Mostly people only apply acl "IN" on an interface.  We have seen cases where people apply acl IN and OUT on the same interface by mistake.

In some cases there as been a requirement. Like for example you have inside, dmz and outside.  You manage inside and outside interface acl but another team manages the dmz acl.  They allow everything on their interface but, you want to control what leaves the outside interface so, you can apply an acl OUT on the outside interface.

So, it depeds on the requirement.

-KS

Correct Answer by Jon Marshall about 7 years 3 days ago

noobieee7 wrote:

Hi All,

For ASA, is there any standard or a need of having a in and out access-group for each inside or outside interface, or is it base on situation and requirement?

Regards,

Lawrence

Lawrence

It is based purely on situation and requirement. Inbound access-lists are by far the most commonly used but i have had situations in the past where an outbound acl has been very useful.

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Jon Marshall Wed, 01/20/2010 - 08:54

noobieee7 wrote:

Hi All,

For ASA, is there any standard or a need of having a in and out access-group for each inside or outside interface, or is it base on situation and requirement?

Regards,

Lawrence

Lawrence

It is based purely on situation and requirement. Inbound access-lists are by far the most commonly used but i have had situations in the past where an outbound acl has been very useful.

Jon

Correct Answer
Kureli Sankar Wed, 01/20/2010 - 08:55

Mostly people only apply acl "IN" on an interface.  We have seen cases where people apply acl IN and OUT on the same interface by mistake.

In some cases there as been a requirement. Like for example you have inside, dmz and outside.  You manage inside and outside interface acl but another team manages the dmz acl.  They allow everything on their interface but, you want to control what leaves the outside interface so, you can apply an acl OUT on the outside interface.

So, it depeds on the requirement.

-KS

vilaxmi Wed, 01/20/2010 - 21:52

Hello,

I would agree with above replies. Just to add, I would like to mention that on an interface you can apply one ACL per direction. Also please keep in mind mMore the number of ACLs more the packet processing done at each ifc in ASA.

Thanks

Vijaya

Ganesh Hariharan Thu, 01/21/2010 - 02:40

Hi All,

For ASA, is there any standard or a need of having a in and out access-group for each inside or outside interface, or is it base on situation and requirement?

Regards,

Lawrence

Hi Lawrence,

Genrally it depends on the situation as good practices we used to do inbound acl with traffic flow coming inside to device in in direction.

HTH

Regards

Ganesh.H

Actions

This Discussion