Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
521
Views
0
Helpful
4
Replies

Automatic Naming/Binding of access lists with ASA??

paulbatte
Level 1
Level 1

‎05-09-2012 06:22 AM - edited ‎03-11-2019 04:04 PM

I have been told that if an access list is created with the suffix _access_in, that if the preifx is the name of an interface, then that access list is automatically bound to that interface, even if there is no explicit command doing that.

I looking at the config of an ASA 5550.

example:

Interface is Production

access list is called Production_access_in.

Is that access list automatically bound to the Production interface, even though it does not show up in any other commands?

Labels:
0 Helpful
4 Replies 4

varrao
Level 10
Level 10

‎05-09-2012 06:40 AM

Hi Paul,

That's not true, you would need to apply the access-list on the interface as well, here is the command for it:

access-group Production_access_in in interface Production

Only then would the access-list be applied.

Here's the guide:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/a1.html#wp1558738

May be they configured using ASDM. But still it needs to be specified.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao
0 Helpful

paulbatte
Level 1
Level 1
In response to varrao

‎05-09-2012 07:21 AM

Yes Varun, some of the config was done using ADSM, some not.

I am trying to untangle a config that is a number of years old.

It was worked on by multiple people, some who used ADSM, some who used CLI.

My question is at the bottom of the verbage below, but ultimately, if the access list is not included in the access group command, nor is it referenced within one of the nat rules, is that access list used AT ALL within the firreall?

An example: is the access list Primary_Public_access_in used at all?

From what you are saying, it is not.

Here is a list of access lists and interfaces I am dealing with, plus the access groups.

Interfaces:

nameif Primary_Public

nameif LANx

nameif Production

nameif Management

nameif Corp

access list names:

Primary_Public_access_in

Primary_Public_access_in_tmp

no-nat

Production_nat0_inbound

Corp_nat0_outbound

Corp_nat1_outbound

LANx_nat0_outbound

FW_LANx_in

ARIN_Primary_Public_access_in

global (Primary_Public) 1 interface

global (Primary_Public) 2 xxx.132.123.17 netmask 255.255.255.255

global (LANx) 102 interface

nat (LANx) 0 access-list LANx_nat0_outbound

nat (LANx) 2 192.168.3.0 255.255.255.0

nat (LANx) 102 0.0.0.0 0.0.0.0

nat (Production) 0 access-list no-nat

nat (Production) 0 access-list Production_nat0_inbound outside

nat (Production) 1 172.20.0.0 255.255.0.0

nat (Corp) 0 access-list Corp_nat0_outbound

nat (Corp) 1 access-list Corp_nat1_outbound

nat (management) 0 access-list Mgmt_nat0_outbound

nat (management) 1 access-list Mgmt_nat1_outbound

access-group Primary_Public_access_in_tmp in interface Primary_Public

access-group FW_LANx_in in interface LANx

0 Helpful

varrao
Level 10
Level 10
In response to paulbatte

‎05-09-2012 07:36 AM

You can try this to find all instances of the access-list in your config:

show run | include Primary_Public_access_in

This would tell you where all  the access-list has been used.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao
0 Helpful

paulbatte
Level 1
Level 1
In response to varrao

‎05-09-2012 08:34 AM

Thanks, I will try to get that output of that command.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card