Firewall ACL question

[Mogles49]

Hi Everyone, sorry if this is in the wrong forum. Couldn't find a Cisco firewall forum but my question might be applicable.

I've inherited an ASA5520 and 5555. I can tell the previous person did a detailed segmentation (ACLs applied on in and out of all interfaces) of the network. Problem I have is object groups associated to the ACLs are not part of that network. I am not sure if this might be an IOS code or quite possible i just don't understand it yet.

Example, Access-list Dev permit TCP object-group Group1 object Group2 eq https where this ACL is applied to the out of the Dev interfaces. This means that Group1 should be part of that network because, (access-list permit (tcp/udp) source host/network destination host/network eq port)

In my case, Group1 is an object group for a completely different network and so does Group2. So not sure how this would impact

No nats in this case.

Help would be appreciated.

 

[burtsbees]

First, if you have any questions about how ASA ACLs are processed, there are a few other things you can look at:

1. hits on the ACL
2. the packet-tracer command---be sure to add the "detail" or "d" keyword at the end to get the most out of it.

I am not sure what you mean by stating that the networks in the ACL should be a part of the DEV network---no matter what, any traffic routed out that interface needs to have an entry in that DEV ACL, else it gets dropped...the ACL says to permit traffic A to traffic B on port C when going out the DEV interface---may be an important distinction to note that this is an outbound ACL, and not an inbound ACL.

/

If you can't beat 'em, try, try again!