Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ACL applied on in|out of a port on an ASA

Folks:

I am new to working on ASAs; however, is it possible to apply an ACL to an interface and specify "in|out" command switch? If this is possible, can an example be supplied?

I am trying to limit traffic from my DMZ to my Internal network; however, the previous security engineer configured the method of communciation between DMZ and Internal network via NAT rules, so no routing protocol and static route entry is currently present. Due to the latter I am not able to block traffic travelling from the DMZ to the INternal network.

  • Firewalling
1 REPLY
Super Bronze

ACL applied on in|out of a port on an ASA

Hi,

I'm not sure if I understood your question right.

Did you want to change the direction of the ACL is applied between "in" and "out"

Or did you just want to apply an access-list to some interface that still doesnt have one?

Heres a very simple example from my home ASA

access-list LAN-IN extended permit ip 10.0.0.0 255.255.255.0 any

access-list WAN-IN extended deny ip any any log

access-group LAN-IN in interface LAN

access-group WAN-IN in interface WAN

I have always configured the ACLs to be applied to inbound direction on an interface

If I assing the command "access-group WAN-IN out interface WAN" basicly switching the direction parameters the ASA just creates also a rule "out" of the interface and leaves the old "in" direction list too

ASA(config)# sh run access-group

access-group LAN-IN in interface LAN

access-group WAN-IN in interface WAN

access-group WAN-IN out interface WAN

Though as I said I'm not sure I understood you correctly.

- Jouni

186
Views
0
Helpful
1
Replies
This widget could not be displayed.