Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Order of ACLs in PIX config

Hi,

until recently the order of access lists in our PIX config was:

names

acl_outside

acl_dmz

acl_inside

acl nat0

acl crypto maps

static mappings

isakmps

Recently, while editing access-list acl_inside I entered no access-list acl_inside which removed all the acl_inside lines.

I added all these back in but now the order of the access lists has changed and I notice that no rules in acl_inside are been processed as the hit counters are all 0. So I guess no outgoing traffic is being filtered.

The order now is:

names

acl_outside

acl_dmz

acl nat0

acl crypto maps

acl_inside

static mappings

isakmps

How can I revert to the previous order of acls in the pix config?

Why would none of the acl_inside rules now be processed?

Thanks in advance

Marty

2 REPLIES
New Member

Re: Order of ACLs in PIX config

Hi Marty

The order of the access-list are only applicable within the group I.e acl_inside. Could you make sure you have the ACL aplied to the correct interface in the correct direction, is this causing you problems?

Regards MJ

New Member

Re: Order of ACLs in PIX config

Hello.

My understanding is traffic from the inside to lower security interfaces does not require the access-list and access-group command.

That said removing an entire acl removers the access-group command.

apply

access-group acl_inside in interface inside.

I'm not sure if the same applies for other interfaces wishing to access lower security interfaces.

You can consider yourself lucky :)

Tim

109
Views
0
Helpful
2
Replies