ASA ACL question

I'm new to the ASA and try to understand something with ACL. It will take I understand about their creation and by adding entries and that all should have the same name, but I'm confused about the ACLs that do not have the same name that already exist on a device or may be named differently.

For example:

Access-List Corporate1 permit tcp any any eq www

Access-List permits Corporate1 tcp everything any https eq

Access list ip Inside_Out allow a whole

Access-group Coprorate1 in interface outside

Ignoring the content at the moment, I have 2 ACL: one with 2 inputs and one with a single entry. The Corporate1 of the ACL applies within the interface and is active. I get this part... My question is: is the Inside_Out of the grouped ACL in automatically with the ACL and activates them as well active or is it safe to say it is not active and can be removed without causing damage? Is the ACL only activates the ACL with the same name as the Access-Group Corporate1?

I have 2 different people telling me two different things. I'm lost on this one, any help would be greatly appreciated.

-Jon

Working with ACLs imply always two steps:

  1. You configure the ACL (with possibly multiple lines but the same name).
  2. You set the ACL to a function. Which might be filtering on an interface with the control-group-access, but is not limited to the one that the ACL is used in several places when the ASA must match the traffic.

(If you did both) 1 and 2), then the ACL is active and currently in use. If you have set up the ACL only but the ACL was never assigned to a function, then the ACL is not active and can be removed.

In your example:

If you find that the ACL 'Inside_Out' but you don't know if the ACL is used, then do one

 sh run | inc Inside_Out

If the output shows only the ACL lines, it is unused and can be removed.

 clear configure access-list Inside_Out

Or it is but not used must be used, and then apply the ACL for the desired purpose.

Tags: Cisco Security

Similar Questions

  • ASA "route inside 0 0 192.168.1.1 by tunnel" interface ACL question

    Hello

    Small question around the road inside 0.0.0.0 0.0.0.0 192.168.1.2 in tunnel command.

    Do you need to add a u-turn traffic within the ACL interfaces (for example internet related http traffic) or 'same-security-traffic permit intra-interface' negates the need of this?

    So if my site remote vpn outside is 10.1.1.0/24 should I add entering permitted statements for the 10.1.1.0/24 inside my interface.

    Thank you

    same-security-traffic permit intra-interface allows then-input-output traffic on a single interface

    allowed incoming 10.1.1.0/24 statement in the list ACL allows traffic (output - then-) penetration on a single interface, but you must disable the RPF check

  • On the basic ACL question

    I have a few question ACL. I'm not clear on the source address and the destination address in the following cases.

    Case 1

    My IP WAN1 is 1.1.1.1, my FTP server is 192.168.1.2 port 23

    If I have access to FTP from internet, use ftp://1.1.1.1:23, so what's my IP ACL of source and destination IP? 1.1.1.1 is source? destination is 192.168.1.2? or any?

    Internet-(Outside 1.1.1.1) ASA (inside 192.168.1.1) - FTP (192.168.1.2)

    Case 2

    My WAN1 is always 1.1.1.1 and FTP is 192.168.1.2 port 23

    If I use the ftp://1.1.1.1:8023internet FTP access, what the ACL source IP address and destination?

    I tested in both cases = any source and destination = everything is OK.

    But I confused. I still think the Source address is IP WAN1.

    Hello

    You access the server FTP from the Internet and most likely, you won't know what ip address you will be source. In this case, your source ip address will be everything. If you know the ip address on the Internet that will have access to your FTP server, and then you specify it as the source. You access list will be as follows:

    access-list extended 100 permit tcp any host 1.1.1.1 eq 21

    access-list extended 100 permit tcp any host 1.1.1.1 eq 20

    or

    access-list extended 100 permit tcp x.x.x.x y.y.y.y host 1.1.1.1 eq 21

    access-list extended 100 permit tcp x.x.x.x y.y.y.y host 1.1.1.1 eq 20

    (if you know the network or host who will have ftp access)

    You must also make sure that you have configured static NAT and inspection of the request to your FTP server

    Thank you

    John

  • ASA ACL split Tunnel

    Cisco ASA.

    For example, I have the subnet in the tunnel of splitting ACL 192.168.0.0/16. I need made an exception to remove 192.168.89.0/24 in the ACL CE-tunnel - what is the best way to do it?

    Hi rioneljeudy ,

    You can restrict the subnets in the ACL used for the tunnel of split for example change the 16 something more specific or apply a filter, VPN policy. See an example on the following link:

    http://www.Cisco.com/c/en/us/support/docs/security/PIX-500-series-security-appliances/99103-PIX-ASA-VPN-filter.html

    It may be useful

    -Randy-

  • Crypto ACL question

    Hello

    I have a star topology IPSec VPN using a Cisco ASA as the hub and a PIX506e such as the rays.

    Two of the rays also have an IPSec VPN between them.

    The hub site connects to a WAN.

    The sites of two rays have the following ranges

    Spoke 1 = 10.154.10.0/24

    Spoke 2 = 10.156.10.0/24

    Hub = 10.8.0.0/24 site - but also connects to all other addresses in the range 10.0.0.0/8 with a back end WAN connection.

    I was looking for a way to 'Nice' configure crypto ACLs so that the traffic between the spokes 1 and 2 would be direct and then everything from 10 would go through the hub site. Rather than try to clear all the subnets in 10.0.0.0/8 except 10.156.10.0/24 & 10.154.10.0/24 in an ACL.

    If I order the cryptographic cards on the RADIUS, so the most accurate is first example (the map speaks of talking), then a card encryption to 10.0.0.0/8 for hub is second, it would work?

    So we talked 1.

    !

    allowed to access-list to-speaks-2 ip 10.154.10.0 255.255.255.0 10.156.10.0 255.255.255.0

    IP 10.154.10.0 allow Access-list to hub 255.255.255.0 10.0.0.0 255.0.0.0

    !

    outside_map 100 ipsec-isakmp crypto map
    card crypto outside_map 100 match address to-speaks-2
    card crypto outside_map 100 peer set 1.2.3.4
    transform-set set card crypto outside_map 100 standard
    outside_map 200 ipsec-isakmp crypto map
    card crypto outside_map 200 correspondence address to hub
    peer set card crypto outside_map 200 8.9.10.11
    transform-set set outside_map 200 crypto card standard

    !

    Any thoughts?

    Yes, reject the order is absolutely supported. Well... I forgot about 'decline' crypto ACL

  • Inbound and outbound ACL question

    I want to restrict inbound and outbound traffic with access-lists on my PIX 515. May be this is a stupid question, but I don't know how the acl pix treatment directions of traffic. Let's say that I encouraged in traffic ntp to the outside to the inside host inbound_acl, I need to open port ntp also in the outbound_acl pass the ntp response?

    Is it the same for the other direction (inside origin traffic)?

    Thanks for any response.

    Hello

    If you open port NTP of outside inside the host, PIX will maintain this session state and will return by the hosts inside circulation. The default is no ACL out (ACL equivalent to entering on the inside of the interface). The statefull inspection rule is the same for all directions/interfaces.

    Thank you

    Nadeem

  • Concentrator VPN VPN ASA Conversion question

    I sent our VPN3k config to the CTA and converted it to the format of the SAA.  A major problem that I see is that the hub has enabled a group name (which is equivalent to a group of tunnel on the SAA) with spaces inside and the ASA does not work.  Our primary RA VPN group is 'All staff' in the config converted, it's "All_Staff" and I guess that this is going to work for users with the existing VPN client configuration file.

    We have hundreds of users a new file of confiog or attempt to explain how to fix this problem manually is out of the question.  Are there of the other workarounds?

    Thank you.

    Try to rename the group to "All staff" (including the quotation marks!)

    so

    dial type tunnel-group "everyone".

    HTH

    Herbert

  • ACL question

    I plan to put this ACL inside interface to the following ports prevent out of the ' net. I do not want to interrupt the other IP traffic and hoped just a validation test to ensure I have make it a law. I wouldn't ruin my inside interface.

    access-list 130 tcp refuse any any eq 135

    access-list 130 deny udp any any eq 135

    access-list 130 deny udp any any eq netbios-ns

    access-list 130 deny udp any any eq netbios-dgm

    access-list 130 tcp refuse any any eq 138

    access-list 130 tcp refuse any any eq netbios-ssn

    access-list 130 tcp refuse any any eq 445

    access-list 130 tcp refuse any any eq 593

    access-list 130 tcp refuse any any 3127 3199 Beach

    access-list 130 ip allow a whole

    I don't know if I should put the "permit ip any any" at the end of the ACL or early.

    the entry that allows any one must be placed at the end of the acl, as the acl works in order.

  • RDP ACL question

    Hey everybody! Currently, I encountered a problem. I have set up for a RDP client and it works when we reached the WAN IP on port 3389. However, it works for everyone and not only for our network (were an ISP with a 23 network that we work from the desktop). I want only our network in order to control remotely on the server, we have put in place on the client's site.

    It's the ACL, I have set up on the WAN interface by using "ip access-group 100 in ' but it does not work, and I don't really know why. It should allow us in, then block everyone. No idea why its not working? When I apply it, no one can remote on this server.

    access-list 100 permit tcp 0.0.1.255 X.X.X.X host 192.168.1.4 eq 3389

    access-list 100 tcp refuse any any eq 3389

    access ip-list 100 permit a whole

    What is the subnet configured on WAN?

    What is the address of the RDP server used to connect?

    A private ip address or pubblic?

    Try changing the with the pubblic ip 192.168.1.4.

    Kind regards.

  • RVS4000 Firewall ACL Question

    I work to install and configure a RVS4000 for a friend and wanted to check my understanding of the firewall section.  He by default the firewall allows traffic from any source to any destination, including Wan.  I realize with NAT, this isn't a huge concern / should not be the case... but I tend to prefer the highest standards rather than more flexible.

    I wanted to make sure that it permits launched in-house traffic outgoing and inbound external traffic dropped, so I created the rules as an attachment shows.  I look at this properly?  Is the firewall ACL section to implement a dynamic firewall or what a pure ACL and the rule of the last of the WAN is required for the return of traffic which has already been in the NAT search engine?

    If someone could help me please clear this one small detail I would greatly appreciate.

    Thanks in advance.

    The ACL is just this ACL. The rules that you are fine, the difference with your implementation and the default value is that you explicitly deny traffic; that is not an idea of bed. On that note, this does not mean that traffic has been explicitly allowed before (default configuration).

    Before the creation of all the rules are a "deny an entire" is already in place but not displayed. This is typical routers small businesses and consumers. The only thing I would change is to supplement the subnet, right on it "any."

    I hope this helps.

  • Acesss ASA VPN question

    Hi, I was able to migrate my clients off the VPN concentrator 3030 and on the ASA 5520 VPN. The problem I have is now the ASA sees these clients VPN from my external interface and they can get of the demilitarized zone, because I did the specific NAT and rules for inside. Is there a way to make the VPN client network seems like it comes from inside network?

    You are welcome Daniel.

    Don't forget to write down the message and choose "solved my problem" which was helpful and solved your problem.

    Concerning

  • Ike ASA VPN question

    Hello all, I have problem with an IPSec tunnel and always looking what is exatly the problem. Have 2 ASA AAA. AA. AAA. A and BBB. BB. BBB. B where BBB. BB. BBB. B has 2 interfaces LAN is another DSL modem. When there is no problem with LAN tunnel is ACTIVE, but when I ALS rocking a few errors on the tunnel:

    IP = AAA. AA. AAA. One, received an INVALID_COOKIE unencrypted notify message, drop

    IP = AAA. AA. AAA. A, package in double Phase 1 detected. Retransmit the last packet.

    SH isakmp sa is:

    ITS enabled: 1

    Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)

    Total SA IKE: 1

    1 peer IKE: AAA. AA. AAA. A

    Type: user role: initiator

    Generate a new key: no State: MM_WAIT_MSG4

    If the router is waiting for ack but not expected and there is no package.

    At both ends, I deleted:

    cry clear isa

    cry clear ipsec

    I checked the peer addresses are correct, what is bodering me, it's the missing package. I think that this packet is sent to the other interface which is down and so the other ASA cannot get the negotiation.

    I will be grateful if anyone can help, I'll debug and sniff for that.

    Here are the configs and small on isakmp debug information

    Router AAA. AA. AAA. A config:

    outside_cryptomap_60 list of allowed ip extended access object-US-VPN VPN - US group object

    Route outside 0.0.0.0 0.0.0.0 XXX. XX. XX.1 1

    Crypto ipsec transform-set ESP-AES-SHA aes - esp esp-sha-hmac

    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

    life crypto ipsec security association seconds 28800

    Crypto ipsec kilobytes of life - safety 4608000 association

    card crypto outside_map 60 match address outside_cryptomap_60

    game card crypto outside_map 60 peers BBB. BBB. BB. B CC. CCC. C.CCC

    card crypto outside_map 60 value transform-set ESP-AES-SHA

    life safety association set card crypto outside_map 60 28800 seconds

    card crypto outside_map 60 set security-association life kilobytes 4608000

    outside_map interface card crypto outside

    ISAKMP allows outside

    part of pre authentication ISAKMP policy 10

    ISAKMP policy 10 3des encryption

    ISAKMP policy 10 sha hash

    10 2 ISAKMP policy group

    ISAKMP life duration strategy 10 86400

    tunnel-group BBB. BBB. BB. B type ipsec-l2l

    tunnel-group BBB. BBB. BB. B ipsec-attributes

    pre-shared-key *.

    ASA BBB. BB. BBB. B:

    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

    Crypto ipsec transform-set ESP-AES-SHA aes - esp esp-sha-hmac

    Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

    life crypto ipsec security association seconds 28800

    Crypto ipsec kilobytes of life - safety 4608000 association

    card crypto outside_map 1 match address outside_cryptomap_1

    card crypto outside_map 1 set of AAA peers. AA. AAA. A

    card crypto outside_map 1 the value transform-set ESP-SHA-3DES ESP-AES-SHA

    outside_map interface card crypto outside

    card crypto outside_map interface outsideadsl

    crypto ISAKMP allow inside

    crypto ISAKMP allow outside

    ISAKMP crypto enable outsideadsl

    crypto ISAKMP policy 10

    preshared authentication

    3des encryption

    sha hash

    Group 2

    life 86400

    ISAKMP crypto am - disable

    debugging isakmp 127

    28 Dec 11:58:01 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0

    28 Dec 11:58:01 [IKEv1]: IP = AAA. AA. AAA. A, IKE initiator: New Phase 1, Intf inside, IKE Peer AAA. AA. AAA. A local Proxy 192.168.0.0, address remote Proxy 192.167.0.0, Card Crypto (outside_map)

    28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. Building ITS ISAKMP payload

    28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. Payload has, worm 02 NAT-Traversal vid construction

    28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. Payload has, worm 03 NAT-Traversal vid construction

    28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. A, building Fragmentation VID + load useful functionality

    28 Dec 11:58:01 [IKEv1]: IP = AAA. AA. AAA. A, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR + SA (1) the SELLER (13) + the SELLER (13), SELLER (13) + (0) NONE total length: 148

    28 Dec 11:58:01 [IKEv1]: IP = AAA. AA. AAA. One Message RECEIVED from IKE_DECODE (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + (0) NONE total length: 108

    28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. ITS payload processing

    28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. Oakley proposal is acceptable

    28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. VID payload processing

    28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. A, received Fragmentation VID

    28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. A, IKE Peer included IKE fragmentation capability flags: Main Mode: Mode aggressive True: True

    28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. Construction ke payload

    28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. Construction nonce payload

    28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. Building Cisco Unity VID payload

    28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. Xauth V6 VID payload construction

    28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. A, Send IOS VID

    28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. A payload the IOS Vendor ID theft construction ASA (version: 1.0.0 capabilities: 20000001)

    28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. Construction VIDEO payload

    28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. One, send Altiga/Cisco VPN3000/Cisco ASA GW VID

    28 Dec 11:58:01 [IKEv1]: IP = AAA. AA. AAA. A, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR + KE (4) + (10) NUNCIO seller (13) + the seller (13) + the seller (13) + the seller (13) + (0) NONE total length: 256

    28 Dec 11:58:07 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0

    28 Dec 11:58:07 [IKEv1]: IP = AAA. AA. AAA. A Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.

    28 Dec 11:58:09 [IKEv1]: IP = AAA. AA. AAA. One Message RECEIVED from IKE_DECODE (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + (0) NONE total length: 108

    28 Dec 11:58:09 [IKEv1 DEBUG]: IP = AAA. AA. AAA. ITS payload processing

    28 Dec 11:58:09 [IKEv1 DEBUG]: IP = AAA. AA. AAA. Oakley proposal is acceptable

    28 Dec 11:58:09 [IKEv1 DEBUG]: IP = AAA. AA. AAA. VID payload processing

    28 Dec 11:58:09 [IKEv1 DEBUG]: IP = AAA. AA. AAA. A, received Fragmentation VID

    28 Dec 11:58:09 [IKEv1 DEBUG]: IP = AAA. AA. AAA. A, IKE Peer included IKE fragmentation capability flags: Main Mode: Mode aggressive True: True

    28 Dec 11:58:09 [IKEv1 DEBUG]: IP = AAA. AA. AAA. Treatment IKE payload

    28 Dec 11:58:09 [IKEv1 DEBUG]: IP = AAA. AA. AAA. A, IKE SA proposal # 1, turn # 1 entry overall IKE acceptable matches # 2

    28 Dec 11:58:09 [IKEv1 DEBUG]: IP = AAA. AA. AAA. Building ITS ISAKMP payload

    28 Dec 11:58:09 [IKEv1 DEBUG]: IP = AAA. AA. AAA. A, building Fragmentation VID + load useful functionality

    28 Dec 11:58:09 [IKEv1]: IP = AAA. AA. AAA. A, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + (0) NONE total length: 108

    28 Dec 11:58:09 [IKEv1]: IP = AAA. AA. AAA. A Message from FORWARDING IKE_DECODE (msgid = 0) with payloads: HDR + KE (4) + NUNCIO (10) + SELLER (13) + the SELLER (13) + the SELLER (13) + the SELLER (13) + (0) NONE total length: 256

    28 Dec 11:58:10 [IKEv1]: IP = AAA. AA. AAA. One Message RECEIVED from IKE_DECODE (msgid = 0) with payloads: HDR + NOTIFY (11) + NONE (0) overall length: 68

    28 Dec 11:58:10 [IKEv1]: IP = AAA. AA. AAA. One Message RECEIVED from IKE_DECODE (msgid = 0) with payloads: HDR + NOTIFY (11) + NONE (0) overall length: 68

    28 Dec 11:58:10 [IKEv1]: IP = AAA. AA. AAA. One, received an INVALID_COOKIE unencrypted notify message, drop

    28 Dec 11:58:10 [IKEv1]: IP = AAA. AA. AAA. A, exchanging information processing failed

    No degDec 28 11:58:12 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0

    28 Dec 11:58:12 [IKEv1]: IP = AAA. AA. AAA. A Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.

    Don't know if that's the only issue, but to start you need a 'tunnel-group C.C.C.C' ASA A.

    If there is still a problem, download him debugs on both sides at the same time please.

    Also, what version of the software the ASA work, and how you simulate the failure on the main interface of B? Is it possible that in your test one can always happen to B through its main interface?

    HTH

    Herbert

  • ASA ACL RateLimit?

    Hello

    I have an asa5501.

    I need to do:

    limit traffic on an interface (class C subnet) in a few hours.

    In fact I do it through a router 2611, with rate-limit orders... ACL..., but I cannot perform with calendar, I just "fixed" limit.

    Any idea?

    Thank you

    Mauro

    You can use the class-map command to match the traffic in your ACL to identify traffic for matches the QoS policies.

    class-map map_name

    corresponds to the list of access acl_name

    This link should help.

    http://www.Cisco.com/en/us/customer/products/ps6120/products_configuration_guide_chapter09186a008063705d.html#wp1043440

    Thank you

    Chad

    Please rate if this can help.

  • ASA ACL problem

    Hello

    I try to put an ACL on a group policy on my VPN Ipsec Lan to Lan.

    My LCD does not work and blocking all traffic.

    Since it does not work with the ACLs on group policy, I put an ACL on the interface inside but do not match.

    To match, I must decline any all a put before a permit.

    Thank you

    Hello

    The main problem when the configuration of IPSec filters is that people set up a descendant. You must specify the inbound traffic you want to allow or deny.

    Here is the document that explains how to configure filters. Take a look and if you have any problems please contact your VPN configuration.

    http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

    Have fun.

    Raga

  • Error SMTP sending reports by e-mail - not you usual ACL question

    Apex 4.2.5.00.08

    Data services Oracle REST 2.0.9

    Recently, we changed our architecture around a bit of the APEX. Previously we used the Oracle HTTP server on the same host as the database. Now we pass the 'web' part of the APEX to another server using ADR with Apache TomCat. Under the old configuration, we have been able to send emails without any problem. However, when we try to do under the new configuration, we get the following SMTP error stack:

    ORA-29279: SMTP permanent error: 503 #5.3.3 AUTH is not available

    I would have thought that email would still go database server in the new configuration but, perhaps, it's fake.

    1 ACL have been created

    Start

    () mailserver_acl

    "mailserver_acl.xml,"

    "ACL for mail server used to connect,"

    "APEX_040200,"

    TRUE,

    'connect',

    "MAILHOST",.

    (null);

    end;

    /

    TURN ON THE COMPUTER HOST, ACL

    OF DBA_NETWORK_ACLS

    WHERE ACL LIKE '% mailserver_acl.xml ';

    HOST ACL
    mailhost/ sys/ACLs/mailserver_acl. XML

    2. I am able to send an email with success by Telnet to port 25 on * is * host and send emails directly from the command line interface.

    3. I am able to send successfully from the database using the PL/SQL interface.

    Any ideas?

    Thank you

    -Joe

    When configure you the new application server, you MUST have reconfigured APEX, correct?  So you can have the apex_mail settings not the same as the old installation.

    Thank you

    Tony Miller
    Software LuvMuffin
    Ruckersville, WILL

Maybe you are looking for