Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Firewall Extended Access-List Question???

                                      Hello Guys,

                                                    I am working with extended ACL's with the Cisco ASA. I know that it is true that a person can only put one ACL in each direction on an interface with a Cisco router but, I want to know if that if this is true with a ASA device?  It seems like when ever I attach a different ACL on the same interface in the same direction it removes the previous attached access-group from the interface. I hope I do not have to have one access-list applied with all my rules in it. That could be dangerous if I ever have to remove an entry from the access-list and remove the of entire ACL entry by mistake.

2 ACCEPTED SOLUTIONS

Accepted Solutions
New Member

Re: Firewall Extended Access-List Question???

That is exactly how it works.  One ACL to each interface.  Only exception is that you can apply a second Ethertype ACL (which can permit special protocols, i.e. BPDU, etc.).  If you are doing by hand, then probably best to copy original access-list and access-group, and change the acl name, before changing, so you can quickly revert back to previous.  that way you would have new and old rule easy to switch with.

Hall of Fame Super Blue

Re: Firewall Extended Access-List Question???

iketurner931 wrote:

                       Ok. So then you are saying that. I can have Access-List Extended 101,102 103 ETC but, I can only have one of them apply to the interface and the others would be only used to define interesting (permit/deny) or some other function that does not require the ACL to be applied to the interface. Oh Yeah thanks for the information about changing the name of the ACL then changing the properties of the ACL and then appling the copy. That is soo sweet. Never even thought of it. Soooo Simple.  

You can apply 2 acls to each ASA interface, one in the inbound direction and one in the outbound direction.

Jon

5 REPLIES
New Member

Re: Firewall Extended Access-List Question???

That is exactly how it works.  One ACL to each interface.  Only exception is that you can apply a second Ethertype ACL (which can permit special protocols, i.e. BPDU, etc.).  If you are doing by hand, then probably best to copy original access-list and access-group, and change the acl name, before changing, so you can quickly revert back to previous.  that way you would have new and old rule easy to switch with.

New Member

Re: Firewall Extended Access-List Question???

                       Ok. So then you are saying that. I can have Access-List Extended 101,102 103 ETC but, I can only have one of them apply to the interface and the others would be only used to define interesting (permit/deny) or some other function that does not require the ACL to be applied to the interface. Oh Yeah thanks for the information about changing the name of the ACL then changing the properties of the ACL and then appling the copy. That is soo sweet. Never even thought of it. Soooo Simple.  

Hall of Fame Super Blue

Re: Firewall Extended Access-List Question???

iketurner931 wrote:

                       Ok. So then you are saying that. I can have Access-List Extended 101,102 103 ETC but, I can only have one of them apply to the interface and the others would be only used to define interesting (permit/deny) or some other function that does not require the ACL to be applied to the interface. Oh Yeah thanks for the information about changing the name of the ACL then changing the properties of the ACL and then appling the copy. That is soo sweet. Never even thought of it. Soooo Simple.  

You can apply 2 acls to each ASA interface, one in the inbound direction and one in the outbound direction.

Jon

New Member

Re: Firewall Extended Access-List Question???

       Thanks for everything Jon. I just wanted to make sure I was doing everything right.

New Member

Re: Firewall Extended Access-List Question???

                          Thanks for everything Matt. I just wanted to make sure I was doing

everything right.

189
Views
0
Helpful
5
Replies
CreatePlease to create content