Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

acl and asa???


I'm new to the pix and have a couple of questions reguarding acl's and the ASA.

1) I remember reading somewhere (can't find the link now) that each interface should have an acl. Wh

y would i need an acl on the inside interface if I'm allowing any connection to be started from the in

side to the outside and not allowing connections from the outside to the inside? I thought this was

the default, because of ASA??? If I should create an acl what should i use since the default behavior

is what i'm looking for?

2) I have seen many people mention adding a 'deny ip any any' at the end of each acl? Again, why, if

this is the default behavior?

3) Since the default is to allow anything from the inside to the outside, and this gives me the creeps

, is there a way to write an acl that will block all outbound traffic except what our security policy

says is allowed?

I know these are basic questions. I've been reading the cisco docs and posts here, but if there is an

other sources of information i would appreciate a link.

Thank you for your time,



Re: acl and asa???

1. Ideally you do not allow all inside users to create connections outbound - only allow what they need. The default for a pix is *no* acls enabled, as there is the implicit deny inbound and allow outbound ruleset.

2. This is to log everything, typically.

3. Absolutely. You can write an acl whose first line is permit ip any any, and then selectively block things from there, or you can just start permitting what you allow, and rely upon the default deny rule implicit in the end of an acl to clobber all that you do not want


Re: acl and asa???


Here are the answers to your questions.

1) You only need an ACL if you want to change the default behaviour. If, in your case, you only want the default behaviour, there is no need for ACL's at all. You are right, ASA will take care of it.

Minimal requirement is that translation is configured (even if you're not doing any translation, you need at least nat (inside) 0 0 0 in your config.

2)deny ip any any is not needed on ACL's bound to an interface with a low securitylevel. Reason for the recommondation to put it in at all times is that it easier to read, and second thing is that it gives less cpu consumption (if you search for ASA order of oparetion on CCO you will find the document which descibes the ASA operation, and you will see that it takes one less step on processing when the deny ip any any is in place). Last thing to remeber is that if an interface has no deny ip any any statement on it, and the traffic is travelling from high to low level security the implicit rule will be that traffic is allowed, so, it is not true that the deny ip any any is always on the end of the ACL (this is true in ION, but not in PIX-OS)

3) off course this is possible. If, for example you want all inside host to be able to use HTTP to the outside, it would look like this:

access-list inside_in permit tcp any any eq www

access-list inside_in deny ip any any

access-group inside_in in interface inside

*note the deny ip any any on the end, which does prevent ASA from taking the implicit rule which would permit the traffic*

As mentioned, searching CCO for ASA order of operation will direct you to very interesing docs and links, which are worth to read.

Kind regards,


CreatePlease to create content