Re: CSM ASA acls

shaun.white · ‎09-24-2008

I have imported my ASA live from the network, however i have 6 different ACLs per my interfaces...under access-rules CSM has combined them all into the LOCAL policy? How do i stop this, i want to see it broke out by ACL Name

suschoud · ‎09-24-2008

Provide :

sh run access-l

sh run access-g

sh run policy-map

sh run class-map

REGARDS,

sushil

shaun.white · ‎09-24-2008

Sushil

Here you go...what im seeing is when i go under

Firewall-->access rules

Everything is group under policy LOCAL...and i dont see the acls broken out by name, the only way i can tell what they are for is by looking at the interface, is there a way to override this??

access-list in extended permit icmp any any

access-list in extended permit tcp any interface outside eq smtp

access-list in extended permit tcp any interface outside eq 81

access-list in extended permit tcp any interface outside eq pop3

access-list in extended permit tcp any interface outside eq ftp

access-list in extended permit tcp any interface outside eq 3389

access-list in extended permit tcp any interface outside eq https

access-list in extended permit tcp any interface outside eq www

access-list in extended permit esp any any

access-list in extended permit tcp any interface outside eq 8080

access-list in extended permit tcp any interface outside eq 8443

access-list in extended permit tcp any interface outside eq 8000

access-list in extended permit tcp any interface outside eq 1935

access-list nonat extended permit ip any 192.168.219.0 255.255.255.0

access-list nonat extended permit ip any 192.168.253.0 255.255.255.0

access-list nonat extended permit ip any 192.168.220.0 255.255.255.0

access-list inbound-fw-acl extended permit icmp any any

access-list inbound-fw-acl extended deny ip any any

access-list outbound-fw-acl extended permit ip any any

access-list outbound-fw-acl extended permit icmp any any

access-list split-tunnel standard permit 192.168.0.0 255.255.0.0

access-list split-tunnel standard permit 10.0.0.0 255.0.0.0

access-list split-tunnel standard permit 172.16.0.0 255.240.0.0

access-list dmz extended permit tcp any any eq 80

access-list dmz extended deny ip any any

access-list CSM_TF_ACL_vonage__1 extended permit ip any host 192.168.1.36

access-list CSM_TF_ACL_vonage__1 extended permit ip any host 10.10.13.5

Lab-ASA# sh run access-group

access-group in in interface outside

access-group dmz in interface dmz

Lab-ASA# sh run class-map

!

class-map inspection_default

match default-inspection-traffic

class-map vonage_1

match access-list CSM_TF_ACL_vonage__1

!

Lab-ASA# sh run policy-map

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp

class vonage_1

priority

!