show access-group
Displays the access-group configuration applied to interfaces, showing which access lists are attached and in which direction.
Overview
The 'show access-group' command is a vital tool for Cisco ASA Firewall administrators to verify the application of Access Control Lists (ACLs) to interfaces. ACLs are the primary mechanism for controlling traffic flow through the firewall, and they must be explicitly attached to interfaces using the 'access-group' command. This command displays the binding between ACLs and interfaces, including the direction (inbound or outbound) of traffic filtering. Understanding this command is essential for ensuring that security policies are correctly enforced. In troubleshooting workflows, it is often the first step to confirm that the intended ACL is applied before examining the ACL rules themselves. On the ASA platform, unlike Cisco IOS routers, the 'access-group' command is used exclusively for interface ACLs, while global ACLs are applied via 'access-list' with the 'global' keyword. The command output is straightforward, listing each interface with its associated ACL and direction. A missing or incorrect binding can lead to security breaches or connectivity issues. Therefore, regular verification using 'show access-group' is a best practice for firewall management.
show access-group [interface interface_name]When to Use This Command
- Verify which access list is applied to an interface after configuration changes.
- Troubleshoot traffic filtering issues by confirming the correct ACL is attached.
- Audit security policy compliance by reviewing interface ACL bindings.
- Prepare for firewall migration by documenting current ACL assignments.
Parameters
| Parameter | Syntax | Description |
|---|---|---|
| interface interface_name | interface interface_name | Specifies the interface name (e.g., inside, outside) to display only the access-group applied to that interface. If omitted, all interfaces are shown. |
Command Examples
Show all access-groups
show access-groupaccess-group INSIDE_ACL in interface inside access-group OUTSIDE_ACL in interface outside
Lists each interface with its applied ACL and direction. The first line shows ACL 'INSIDE_ACL' applied inbound on interface 'inside'. The second shows 'OUTSIDE_ACL' inbound on 'outside'.
Show access-group for specific interface
show access-group interface insideaccess-group INSIDE_ACL in interface inside
Displays only the ACL applied to the specified interface 'inside'.
Understanding the Output
The output lists each interface that has an access-group applied, showing the ACL name, direction (in or out), and interface name. A healthy output shows the expected ACLs for each interface. If an interface is missing its ACL, it may indicate a misconfiguration. No output means no access-groups are configured, which could be a security risk if ACLs are intended.
Configuration Scenarios
Applying an ACL to the inside interface
A network administrator needs to restrict traffic from the inside network to the outside. An ACL named INSIDE_ACL has been created.
Topology
[Inside Network] --- (inside) [ASA] (outside) --- [Outside Network]Steps
- 1.Create the ACL: access-list INSIDE_ACL extended permit ip 10.0.0.0 255.255.255.0 any
- 2.Apply the ACL inbound on the inside interface: access-group INSIDE_ACL in interface inside
! ACL definition access-list INSIDE_ACL extended permit ip 10.0.0.0 255.255.255.0 any ! Apply to interface access-group INSIDE_ACL in interface inside
Verify: Use 'show access-group' to confirm the ACL is applied. Output should show: access-group INSIDE_ACL in interface inside
Watch out: If the ACL is applied outbound instead of inbound, traffic from inside to outside may be blocked incorrectly.
Troubleshooting with This Command
When troubleshooting traffic issues, start with 'show access-group' to verify that the correct ACL is applied to the relevant interface and direction. If an interface has no access-group, traffic will pass without ACL filtering, which may be a security concern. If the output shows an unexpected ACL, use 'show access-list <acl-name>' to review the rules. Common issues include applying the ACL in the wrong direction (e.g., inbound instead of outbound) or forgetting to apply the ACL after creation. Also, note that the ASA applies ACLs in order; if a permit rule is missing, traffic may be implicitly denied. Use 'show access-list' with the 'hitcnt' option to see how many packets matched each rule, helping identify if traffic is being blocked or permitted as intended. If changes are made to the ACL, they take effect immediately; no reload is needed. However, if the access-group itself is changed, the new ACL is applied instantly.
CCNA Exam Tips
Remember that 'in' refers to traffic entering the interface, 'out' to traffic leaving.
Be aware that ASA supports only one ACL per interface per direction.
Know that 'show access-group' does not show ACL contents; use 'show access-list' for that.
Common Mistakes
Confusing 'in' and 'out' directions: 'in' filters traffic entering the interface, 'out' filters traffic leaving.
Assuming multiple ACLs can be applied per direction; only one is allowed.
Forgetting to apply an access-group after creating an ACL, leaving the interface unprotected.
Platform Notes
On Cisco ASA, the 'show access-group' command is similar to Cisco IOS, but ASA uses the 'access-group' command only for interface ACLs. In IOS, 'access-group' can also be used for line ACLs. ASA also supports 'access-list' with 'global' for global ACLs, which are not shown by 'show access-group'. For equivalent commands on other platforms, on Juniper SRX, 'show security policies' displays policy bindings, and on Palo Alto, 'show rulebase security' shows rule application. ASA versions 8.x and later support this command; earlier versions may have slightly different output formats.
Practice for the CCNA 200-301
Test your knowledge with hundreds of CCNA practice questions covering all exam domains.
Practice CCNA Questions