[c-nsp] FWSM ACL présidence ? ACL not blocking traffic
Jeffrey G. Fitzwater
jfitz at Princeton.EDU
Wed Apr 25 11:24:29 EDT 2012
We have tried the following on our test FWSM setup and it appears to break our original ACL used for blocking hosts.
Nothing in the docs I have read states one ACL overrides the other.
I have FWSM with OUTSIDE interface that has ACL-1 that is applied to both inbound and outbound traffic to DENY certain SRC hosts. (DENY IP HOST x.x.x.x)
If I now apply an INSIDE ACL-2 to the outbound traffic with a permit IP any any ACE, will ACL-2 now supersede ACL-1 and PERMIT the DENIED traffic?
The ACL-2 was intended for future use and has an permit IP any any for now.
We are running FWSM 4.0(6) with IOS 12.2.SXI7
ACL-1 = deny ip host x.x.x.x ACL-2 = permit ip any any
Stumped ??
Thanks for any info.
Not sure if anybody still using FWSMs.
Jeff Fitzwater
Princeton University
More information about the cisco-nsp
mailing list