Thanks Rizwan for your reply,

I don't have this test_ACL defined in the access-group definition part

but I found it defined in class-map and (policy-map    global_policy), as

class-map    test_ACL                                                
    match    access-list    test_ACL

and then defined in
policy-map    global_policy
as
class    test_ACL                
    set    connection    timeout    tcp    12:00:00

is this correct configuration? or it does not work, and the ACL will not be used

Whichever IPs are matched in the ACL will be subject to their TCP connections having a timeout of 12 hours.

--

Please remember to select a correct answer and rate helpful posts

Hi,

do you mean those rules needs to be defined twice,

one definition in ACL which is bound to an interface,

then second in ACL which is defined as class-map,

You are confusing interface acls with other acls.

You can use acls for multiple things and from the configuration you posted the acl is nothing to do with an interface, it is being used to set the connection timeouts for certain traffic.

The acls you apply to interfaces can use any name you want that makes sense to you.

Then when you apply it to an interface you need to reference the acl name. The acl name does not need to match or include the name of the interface you are applying it to, it's just that a lot of people do reference the interface name to make it more obvious in the configuration.

But you don't have to, it is up to you.

Jon

thanks Jon,

so you mean the acl name could be anything making sense for me, and it has not to be defined anywhere, unless something required like defining time-out

for example, i do have other ACL defined with the name "inside_access_in"

and i couldn't find this "inside_access_in" defined anywhere, and i think its not default name (as i checked the manual, and there is no reference for it"

There is no default name for interface acls you use your own names.

It can be any name and then if it was an interface acl you would apply it with -

access-group <NAME> in/out interface <interface>

As Marius said though acls can be used for a number of things so you need to make sure before you delete it that it is not being referenced anywhere in the configuration.

Jon

Your configuration seems to be correct and If your configuration is incorrect it will error out when you are applying it.

May I know, what exactly you are trying to achieve, I maybe able to advise a thing or two.

thanks

Hi,

what am trying to know is if those rules (ACLs)  are correct, and will be used,

or its not, thus we remove them,

if the ACL needs to be defined and aligned to an interface, then those ACLs related to which interface?

as the ACL-Name is not part of the access-group settings

ACLs can be used with many things, such a class-map, interface access control, nats, nat-exemption, route-maps and so on.

If your believe, your below lines have no use for it, then you can remove them and it will not affect your firewall functional in general and you only know your network setup.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

policy-map    global_policy
as
class    test_ACL                
    set    connection    timeout    tcp    12:00:00

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

just because the ACL is not defined in an access-group doesn't mean it is not in use. There are several other areas that use ACLs.  Class-maps are another common place where ACLs are used to match on traffic that will be used in a policy-map.  Another comon use for ACLs is to define interesting traffic, or traffic that is to be encrypted, over a site to site VPN.

But for this specific ACL that you mention, the question you need to answer is, does the ACL define IPs that are assigned within your network, and do you have any applications that require the tcp timeout to be adjusted?  If the answer is no to either of thaese then it is safe to assume you can remove the class-map test_ACL and the class test_ACL under the policy-map configuration.

Whether the ACL itself can be removed, I would assume it is safe to  remove as it is called test_ACL, but then again, I have see people set up test configurations and then leave them as is without changing the name.  So I would suggest investigating further to see if the name test_ACL is referenced any other places in your configuration.

--

Please remember to select a correct answer and rate helpful posts

thanks, all of you,

so could i say this,

ACL-Name is not mandatory to be earlier defined,

and it could be any name i like,

as an example, i would name it

App_A_Prod

and as i don't need to define any parameters for time-out or other stuff, i will not define this name anywhere else,

is this correct, i mean the firewall will accept my entry,

ACL-Name is not mandatory to be earlier defined,

That depends on what you mean by this. The ASA requires you to define the ACL before you use the name anywhere else in the configuration. This is unlike the routers where you can use the ACL name anywhere else before you actually define the ACL itself.

and as i don't need to define any parameters for time-out or other stuff, i will not define this name anywhere else,

is this correct, i mean the firewall will accept my entry,

You can define the ACL and just leave it in the configuration without using it, but I dont see the point in doing that.  But yes, the ASA will accept your ACL configuration.

--

Please remember to select a correct answer and rate helpful posts

You can define the ACL and just leave it in the configuration without using it, but I dont see the point in doing that.  But yes, the ASA will accept your ACL configuration.

Hi,

sorry i kept asking in same again

so, the ACL defined

and IP used are correct, and Acl name is not one of known interfaces, yet no mention/definition for Acl name anywhere else in the configuration file

will there be any hits on this Acl