ASA Access-group

Answered Question
Jan 20th, 2010
User Badges:

Hi All,


For ASA, is there any standard or a need of having a in and out access-group for each inside or outside interface, or is it base on situation and requirement?


Regards,

Lawrence

Correct Answer by Kureli Sankar about 7 years 5 months ago

Mostly people only apply acl "IN" on an interface.  We have seen cases where people apply acl IN and OUT on the same interface by mistake.

In some cases there as been a requirement. Like for example you have inside, dmz and outside.  You manage inside and outside interface acl but another team manages the dmz acl.  They allow everything on their interface but, you want to control what leaves the outside interface so, you can apply an acl OUT on the outside interface.


So, it depeds on the requirement.


-KS

Correct Answer by Jon Marshall about 7 years 5 months ago

noobieee7 wrote:


Hi All,


For ASA, is there any standard or a need of having a in and out access-group for each inside or outside interface, or is it base on situation and requirement?


Regards,

Lawrence


Lawrence


It is based purely on situation and requirement. Inbound access-lists are by far the most commonly used but i have had situations in the past where an outbound acl has been very useful.


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Jon Marshall Wed, 01/20/2010 - 08:54
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

noobieee7 wrote:


Hi All,


For ASA, is there any standard or a need of having a in and out access-group for each inside or outside interface, or is it base on situation and requirement?


Regards,

Lawrence


Lawrence


It is based purely on situation and requirement. Inbound access-lists are by far the most commonly used but i have had situations in the past where an outbound acl has been very useful.


Jon

Correct Answer
Kureli Sankar Wed, 01/20/2010 - 08:55
User Badges:
  • Cisco Employee,

Mostly people only apply acl "IN" on an interface.  We have seen cases where people apply acl IN and OUT on the same interface by mistake.

In some cases there as been a requirement. Like for example you have inside, dmz and outside.  You manage inside and outside interface acl but another team manages the dmz acl.  They allow everything on their interface but, you want to control what leaves the outside interface so, you can apply an acl OUT on the outside interface.


So, it depeds on the requirement.


-KS

vilaxmi Wed, 01/20/2010 - 21:52
User Badges:
  • Cisco Employee,

Hello,


I would agree with above replies. Just to add, I would like to mention that on an interface you can apply one ACL per direction. Also please keep in mind mMore the number of ACLs more the packet processing done at each ifc in ASA.


Thanks


Vijaya

Ganesh Hariharan Thu, 01/21/2010 - 02:40
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Member's Choice, February 2016

Hi All,


For ASA, is there any standard or a need of having a in and out access-group for each inside or outside interface, or is it base on situation and requirement?


Regards,

Lawrence


Hi Lawrence,


Genrally it depends on the situation as good practices we used to do inbound acl with traffic flow coming inside to device in in direction.


HTH


Regards

Ganesh.H

Actions

This Discussion