cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
522
Views
0
Helpful
2
Replies

ASDM ACL rule writing issue?

mx
Level 1
Level 1

I have been fighting an incoming ACL for the last couple of days and today I finally figured it out. Everything looked exactly right within ASDM but it still wasnt working.

When I entered the info for an ACL within ASDM the cli looked like this:

access-list 100 permit tcp any 65.172.252.44 eq www

when I type it in manually (the right way)

access-list 100 permit tcp any host 65.172.252.44 eq www

It works! WTF?

When I hit reload on ASDM I watch that ACL and it doesnt change. I had to enter all my ACL entries manually and all is well.

Im using an ASA 5520, OS 7.2.1 and ASDM 5.2

Has anyone else seen this or am I just doing something wrong?

Bob

2 Replies 2

a.kiprawih
Level 7
Level 7

Hi,

The difference between the ASDM-ACL and your CLI-ACL is keyword 'host'. Without 'host', the destination more or less become network ID/subnet instead of single host. That's why your second ACL works.

But I think you can refresh the ASDM so that it will take the latest config updated via the CLI.

Normally, when you create the ACL, the destination is specificed as host IP or object name (if you defined name for that IP 65.172.252.44). Additionally, the netmask of 255.255.255.255 will also determine whether the destination is a single host or network ID. If this is correctly done, then you're not doing anything wrong.

Rgds,

AK

Hi!

I use the ASDM too and that's right, The netmask determine if is a single host or a network. Try to configure this rule using 255.255.255.255 netmask for the inside host.

regards,

Adriano Porcaro

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: