Contact US

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

Firewall ACL question

Firewall ACL question

Firewall ACL question

Hi Everyone, sorry if this is in the wrong forum. Couldn't find a Cisco firewall forum but my question might be applicable.

I've inherited an ASA5520 and 5555. I can tell the previous person did a detailed segmentation (ACLs applied on in and out of all interfaces) of the network. Problem I have is object groups associated to the ACLs are not part of that network. I am not sure if this might be an IOS code or quite possible i just don't understand it yet.

Example, Access-list Dev permit TCP object-group Group1 object Group2 eq https where this ACL is applied to the out of the Dev interfaces. This means that Group1 should be part of that network because, (access-list permit (tcp/udp) source host/network destination host/network eq port)

In my case, Group1 is an object group for a completely different network and so does Group2. So not sure how this would impact

No nats in this case.

Help would be appreciated.

RE: Firewall ACL question

First, if you have any questions about how ASA ACLs are processed, there are a few other things you can look at:

1. hits on the ACL
2. the packet-tracer command---be sure to add the "detail" or "d" keyword at the end to get the most out of it.

I am not sure what you mean by stating that the networks in the ACL should be a part of the DEV network---no matter what, any traffic routed out that interface needs to have an entry in that DEV ACL, else it gets dropped...the ACL says to permit traffic A to traffic B on port C when going out the DEV interface---may be an important distinction to note that this is an outbound ACL, and not an inbound ACL.


If you can't beat 'em, try, try again!

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members! Already a Member? Login

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close