Cisco ASA to Palo Alto

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Cisco ASA to Palo Alto

L0 Member

Hi Team, we recently migrated from cisco ASA to Palo Alto 3220, where for one of the policy in cisco ASA has " access-list inside-egress extended permit ip any any", And this access-list is attached to the access-group to the interface "inside". as you can see below.

"access-group inside-egress out interface inside"

as per my understanding from cisco perspective for this access group the traffic which egresses out of the interface named "inside", should evaluate the against the access-list "inside-egress". The following are the access-list related to inside-egress.   


access-list inside-egress extended permit icmp host host
access-list inside-egress extended permit tcp host host eq 5707 log interval 1
access-list inside-egress extended permit ip any any


When it is converted to Palo Alto, for the " access-list inside-egress extended permit ip any any"  tool created a policy stating 

Source zone - any, Source subnet- any to destination-subnet- any, destination-zone - "inside" with allow action.


Basically anything from anywhere were allowed to inside zone (which is dangerous wide open policy).


How we can rectify this, need your advise, for the access-group with "out" attached to the interface and having "permit ip any any" accesslist.






Cyber Elite
Cyber Elite



First of all, you shouldn't allow anything coming any destination  zone with source any. I would recommend you to go through the the networks those need to be allowed and allow required subnets only, that too with specific zones. 




L2 Linker

@SureshBalaji Your security policy should not configure with any any. At least you should restrict policy for specific zones.


I am fully agreed with @SutareMayur .



  • 2 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!