Access list on ASA

@schmitty007

Thank you, I was afraid I might have that last one backwards.  Cisco used to do it in reverse a long time ago so that the destination first and the source was second. Not sure when they swtiched it but it still causes me headaches occasionally.  :)

Hm,  schmitty007 was tyrping faster ;)

@erniebeek

However you also had a good point that both schmitty007 and I both missed about the last line. I think on my part it was because I was just explaining what each line meant not thinking about the order.

I am also wondering why that line is even there since both addresses are in the same network so they probably wouldn't "cross" the ASA anyway.

@erniebeek

Absolutely I too didn't go as far as to explain that as well. Was just trying to give the OP a little more insight. I figured he C&P'ed these few lines out of a much larger ACL.

It also almost reminded of a lot of Cisco examples of really drilled down ACLs that most live enviroments I have been in do not use. Like actually limiting port level access to an FTP server on the internal network when normally they secure this with credentials.

Well you can't be sure. What if the 10.1.1.10 is used in a range assigned to VPN clients and 10.1.1.14 is an internal host.

another good point.  I guess I hadn't thought of it that way.  We use a completely separate network for our VPN clients. For example 10.1.0.x through 10.10.0.x for 10 locations and 10.200.50.x for VPN.

Yeah, that's a neater way. Though often people do use a subset of their internal range (which can cause lots of interesting issues :)

They are 2 separate /30 networks. Just fyi and thank you.

/30? Ah that explains it :)

So do you require additional info? If so, don't hesitate to ask. We'll do our best to answer.