ACLGlobal Config

access-group [name] in interface [intf]

Applies an access control list (ACL) to a specific interface for filtering inbound traffic.

Overview

The 'access-group' command is used on Cisco ASA firewalls to bind an access control list (ACL) to a specific interface for filtering inbound traffic. ACLs are ordered lists of permit or deny statements that control traffic based on source/destination IP, protocol, and port. When applied with 'access-group', the ASA evaluates all inbound packets on that interface against the ACL. If a packet matches a permit statement, it is allowed; if it matches a deny statement, it is dropped. If no match is found, the implicit deny at the end of the ACL drops the packet. This command is critical for implementing security policies, such as restricting internet access to specific services or isolating network segments. On ASA, only inbound access-groups are commonly used; outbound filtering is possible but less typical. The command is entered in global configuration mode and does not produce output unless an error occurs. Verification is done via 'show access-group' or 'show running-config | include access-group'. Understanding this command is essential for network security and troubleshooting traffic flow issues.

Syntax·Global Config
access-group <acl-name> in interface <interface-name>

When to Use This Command

  • Restrict inbound traffic from the internet to a DMZ web server to only HTTP/HTTPS.
  • Allow management access (SSH) from a specific management subnet to the ASA inside interface.
  • Block inbound ICMP echo requests on the outside interface to prevent ping sweeps.
  • Apply a global ACL to the inside interface to control traffic between internal VLANs.

Parameters

ParameterSyntaxDescription
acl-nameacl-nameThe name or number of the access control list to apply. Must match an existing ACL configured with 'access-list' commands.
interface-nameinterface-nameThe name of the interface (e.g., 'outside', 'inside', 'dmz') to which the ACL is applied.

Command Examples

Apply ACL to outside interface

access-group OUTSIDE_ACL in interface outside

This command applies the ACL named 'OUTSIDE_ACL' to the outside interface for inbound traffic. No output is displayed if successful.

Verify applied ACL with show access-group

show access-group
access-group OUTSIDE_ACL in interface outside
access-group INSIDE_ACL in interface inside

The output lists all access-group bindings. Each line shows the ACL name and the interface it is applied to, along with the direction (in).

Understanding the Output

The 'access-group' command itself produces no output on successful application. To verify, use 'show access-group' which displays each binding: the ACL name, direction (in), and interface. A healthy state shows the expected ACLs bound to the correct interfaces. Missing or incorrect bindings indicate a configuration error. Use 'show running-config | include access-group' to see the commands in the running configuration.

Configuration Scenarios

Restrict inbound access to DMZ web server

A company hosts a web server in the DMZ. Only HTTP and HTTPS traffic from the internet should be allowed to the server IP 10.1.1.10.

Topology

Internet --- ASA (outside: 203.0.113.1, dmz: 10.1.1.1) --- DMZ (10.1.1.10)

Steps

  1. 1.Create ACL to permit HTTP and HTTPS to the web server.
  2. 2.Apply ACL to the dmz interface inbound.
Configuration
! Create ACL
access-list DMZ_IN extended permit tcp any host 10.1.1.10 eq 80
access-list DMZ_IN extended permit tcp any host 10.1.1.10 eq 443
! Apply to interface
access-group DMZ_IN in interface dmz

Verify: Use 'show access-group' to confirm binding. Use 'show access-list DMZ_IN' to see hit counts.

Watch out: Ensure the ACL is applied to the correct interface (dmz) and direction (in). If applied to outside, it would filter traffic before it reaches the DMZ.

Troubleshooting with This Command

When traffic is not flowing as expected, first verify the access-group binding with 'show access-group'. Ensure the correct ACL is applied to the intended interface. Next, check the ACL itself with 'show access-list <name>' to see the rules and hit counts. A high hit count on a deny entry indicates blocked traffic; a low hit count on a permit may indicate the rule is not matching. Use 'packet-tracer' to simulate traffic and see which ACL rule is matched. For example: 'packet-tracer input outside tcp 203.0.113.5 12345 10.1.1.10 80'. This will show the ACL processing step-by-step. Also check for implicit deny: if no permit matches, the packet is dropped. Remember that ACLs are processed top-down; order matters. If you have overlapping rules, the first match applies. Finally, ensure the interface is up and has correct IP addressing.

CCNA Exam Tips

1.

Remember that 'access-group' is applied in global configuration mode, not interface configuration mode.

2.

On ASA, only inbound access-groups are supported; outbound filtering is done via 'access-group out' but is rarely used.

3.

Know that ACLs are processed in order; an implicit deny all exists at the end.

Common Mistakes

Applying the access-group to the wrong interface, causing unintended traffic filtering.

Forgetting to create the ACL before applying it, resulting in an error.

Using 'access-list' instead of 'access-group' when trying to bind an ACL to an interface.

Platform Notes

On Cisco ASA, the 'access-group' command is similar to IOS but with some differences. ASA only supports 'in' direction for access-groups in most deployments; 'out' is available but rarely used. On IOS routers, 'access-group' can be applied in either direction. ASA also supports 'access-group' for transparent firewall mode. In version 9.x and later, the command syntax remains consistent. For equivalent functionality on other platforms, on Juniper SRX, you use 'security policies' instead of ACLs. On Palo Alto, you use 'Security rules'. The concept is the same: filter traffic based on criteria. ASA ACLs are stateful; they track connections and allow return traffic automatically, unlike IOS ACLs which require explicit permit for return traffic.

Practice for the CCNA 200-301

Test your knowledge with hundreds of CCNA practice questions covering all exam domains.

Practice CCNA Questions