08-12-2006 04:29 PM - edited 02-20-2020 09:37 PM
I have been fighting an incoming ACL for the last couple of days and today I finally figured it out. Everything looked exactly right within ASDM but it still wasnt working.
When I entered the info for an ACL within ASDM the cli looked like this:
access-list 100 permit tcp any 65.172.252.44 eq www
when I type it in manually (the right way)
access-list 100 permit tcp any host 65.172.252.44 eq www
It works! WTF?
When I hit reload on ASDM I watch that ACL and it doesnt change. I had to enter all my ACL entries manually and all is well.
Im using an ASA 5520, OS 7.2.1 and ASDM 5.2
Has anyone else seen this or am I just doing something wrong?
Bob
08-12-2006 05:12 PM
Hi,
The difference between the ASDM-ACL and your CLI-ACL is keyword 'host'. Without 'host', the destination more or less become network ID/subnet instead of single host. That's why your second ACL works.
But I think you can refresh the ASDM so that it will take the latest config updated via the CLI.
Normally, when you create the ACL, the destination is specificed as host IP or object name (if you defined name for that IP 65.172.252.44). Additionally, the netmask of 255.255.255.255 will also determine whether the destination is a single host or network ID. If this is correctly done, then you're not doing anything wrong.
Rgds,
AK
08-15-2006 06:06 AM
Hi!
I use the ASDM too and that's right, The netmask determine if is a single host or a network. Try to configure this rule using 255.255.255.255 netmask for the inside host.
regards,
Adriano Porcaro
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: