No announcement yet.

ACL confusion

  • Filter
  • Time
  • Show
Clear All
new posts

  • ACL confusion


    I have the ASA5520 with 5 interfaces:

    Outside(0), Management(100), Servers(99), Users(80), Remote(40),

    Objective:- Users to have access to server zone and to the internet. Deny rest.

    User interface
    1. ACL: source (Users), destination(any) permit //for access to internet
    2. ACL: source (Users), destination(server) permit // access to server zone
    3. ACL: source (Users), destination(remote) deny //deny access to remote zone
    4. ACL: source (Users), destination(Mgmt) dent //deny access to mgmt zone

    -since my 1st rule allows destination to any. Do i still need the 2nd rule?
    -since i have the acl defined on the user interface. Do i still need to create rules on the remote & mgmt interface to deny access to user zone

    PLease advise

  • #2
    Re: ACL confusion

    Looking at your proposed ACL's, your first entry is going to allow access to everything (Internet, Server, etc)

    What you may want to do is explicitly allow port 80 and 443 for Internet access. Also explicitly permit access to the the server subnet/zone. Because you are using explicit ACL entries any other traffic that doesn't match your entries will default deny.


    access-list users extended permit tcp <user_subnet> any eq www
    access-list users extended permit tcp <user_subnet> <server_subnet> <server_subnet_mask> any

    With just those two rules you have allowed access to the Internet (I am assuming your DNS server already have access to the Internet to resolve names) and the server subnet/zone. Because there is no other matching ACL's for the mgmnt and remote zones all other traffic originating from the user interface will be dropped.

    Side note: make sure that when you apply your ACL to your "user" interface, apply it using the "in" keyword.