Link to home
Start Free TrialLog in
Avatar of techlinden
techlindenFlag for United States of America

asked on

cisco asa access-list/access-group in/out question

in the asdm how to specify whether an access-list is going in or out.     I know in the cli i could probably type access-group in or out.  but in the asdm every access-list automatically goes in the in direction.      

Also, i have a dmz interface with security zone 50 and of course inside interface is of course security 100.    of course i can ping from inside to dmz since it's higher to lower security.   from dmz to inside i need an access-list since it's lower to higher zone.   i have an access-list allowing traffic from source dmz to destination inside and it's working fine.    The access-list if you look at the cli is applied in the in direction on the dmz interface.     I'm a little confused.  it seems it should be applied in the out direction since the traffic is leaving the dmz to go to the inside interface?
Avatar of techlinden
techlinden
Flag of United States of America image

ASKER

nevermind.  i think im an idiot.  i found where you can specify the direction in the asdm.  kind of weird though that the traffic from the dmz to the inside is allowed via an access-list in the in direction to the dmz interface
ASKER CERTIFIED SOLUTION
Avatar of naderz
naderz
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
that's a very good explanation.       i'm going to copy it because i will forget since it seems a little illogical since if i was an interface i would consider traffic leaving the dmz as going out of the interface.  however if i reverse the direction of the access-list it blocks the traffic so i don't doubt that you are correct since it's working this way.     thanks so much