[c-nsp] FWSM ACL présidence ? ACL not blocking traffic
Jeffrey G. Fitzwater
jfitz at Princeton.EDU
Wed Apr 25 12:04:01 EDT 2012
I am using MANUAL, so I then run the "access-list commit" config command.
On Apr 25, 2012, at 11:24 , Jeffrey G. Fitzwater wrote:
>
> We have tried the following on our test FWSM setup and it appears to break our original ACL used for blocking hosts.
> Nothing in the docs I have read states one ACL overrides the other.
>
>
> I have FWSM with OUTSIDE interface that has ACL-1 that is applied to both inbound and outbound traffic to DENY certain SRC hosts. (DENY IP HOST x.x.x.x)
>
> If I now apply an INSIDE ACL-2 to the outbound traffic with a permit IP any any ACE, will ACL-2 now supersede ACL-1 and PERMIT the DENIED traffic?
>
>
>
> The ACL-2 was intended for future use and has an permit IP any any for now.
>
> We are running FWSM 4.0(6) with IOS 12.2.SXI7
>
>
>
>
>
> ACL-1 = deny ip host x.x.x.x ACL-2 = permit ip any any
>
>
>
>
> Stumped ??
>
> Thanks for any info.
> Not sure if anybody still using FWSMs.
>
>
>
>
> Jeff Fitzwater
> Princeton University
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list