[c-nsp] FWSM ACL présidence ? ACL not blocking traffic
ryanL
ryan.landry at gmail.com
Wed Apr 25 11:54:34 EDT 2012
what access-list commit mode are you using?
my preferred practice is manual commit mode, but make changes on tftp
server to acl and then upload entire acl with copy tftp running. at the
start of the script is access-list mode manual and clear configure
access-list blah. at the end of the script is access-list commit. the
changes only get applied at commit.
On Wednesday, April 25, 2012, Jeffrey G. Fitzwater wrote:
>
> We have tried the following on our test FWSM setup and it appears to break
> our original ACL used for blocking hosts.
> Nothing in the docs I have read states one ACL overrides the other.
>
>
> I have FWSM with OUTSIDE interface that has ACL-1 that is applied to both
> inbound and outbound traffic to DENY certain SRC hosts. (DENY IP HOST
> x.x.x.x)
>
> If I now apply an INSIDE ACL-2 to the outbound traffic with a permit IP
> any any ACE, will ACL-2 now supersede ACL-1 and PERMIT the DENIED traffic?
>
>
>
> The ACL-2 was intended for future use and has an permit IP any any for now.
>
> We are running FWSM 4.0(6) with IOS 12.2.SXI7
>
>
>
>
>
> ACL-1 = deny ip host x.x.x.x ACL-2 = permit ip any any
>
>
>
>
> Stumped ??
>
> Thanks for any info.
> Not sure if anybody still using FWSMs.
>
>
>
>
> Jeff Fitzwater
> Princeton University
>
More information about the cisco-nsp
mailing list