Cisco ASA 5500 Series is the new model of Cisco firewall appliance, which followed the success of Cisco PIX Firewall. Cisco ASA 5500 as a “security device” rather than just a “hardware firewall” because the ASA is not just a firewall. This device combines multiple security features such as intrusion detection, intrusion prevention, content inspection, botnet inspection, in addition to the firewall functionality.

However, the working principles of the SAA as a high-performance firewall. All other security functions that free services are on top of the firewall functionality. That is, the purpose of a firewall to protect network and IT resources from malicious sources and control block traffic. The Cisco ASA firewall, air traffic control with Access Control Lists (ACLs) services.

An ACL is a list of rules to allow or deny the statements or. In summary, a list of access control policy is applied network security. The ACL (list of general rules) is then applied to an interface of the firewall, either on arrival or by direction of the outgoing traffic. If the ACL to the direction of the incoming traffic is applied (in), then navigate to the ACL, set up a firewall port. The opposite occurs for ACLs abroad (of) management.

The ACLs permit or deny statements consist mainly of source and destination IP addresses and ports. ACL permit statement allows the specified source IP address / network to access the destination IP address / network. The opposite occurs for ACL deny the statements. At the end of the ACL inserts firewall by default is an implicit DENY ALL rule statement that is not visible in the configuration.

enough theory to date. Let’s look at some examples below to clarify what we said above.

The format of the basic control of the access control list is as follows:

ciscoasa (config) # access-list access_list_name “extended {deny | permit} protocol” source_address Mask “[SOURCE_PORT] dest_address Mask [dest_port]

To apply ACLs to a specific interface, use the access-group as follows:

ciscoasa (config) # access-group “access_list_name [in | out] interface” interface-

Example 1: Let
only HTTP traffic from within the 10.0.0.0 / 24 Power to other Internet sites

ciscoasa (config) # access-list extended HTTP-only permit tcp 10.0.0.0 255.255.255.0 any eq 80
ciscoasa (config ) # access-group HTTP interface only inside strong>
The name “HTTP Only” is the Access Control List yourself in our example contains only one statement to determine admission. thinking Please note that there is an implicit DENY ALL rule at the end of the anterior cruciate ligament, which is not shown by default. example2

deny Telnet traffic from Host 10.1.1.1 to Host 10.2.2.2 and let everything else.

ciscoasa (config) # access-list extended DENY-TELNET TCP deny host 10.1.1.1 host 10.2.2.2 eq 23
ciscoasa (config) # access-list deny TELNET host 10.1.1.1 host 10.2.2.2 IP extends
ciscoasa (config) # access-group DENY-TELNET permit in-interface
This example above (ACL DENY TELNET) . contains two statements generally, and to refuse a permit, as mentioned above, the “access-group” command applies the ACL to an interface (either an approach or a direction in foreign countries)

Example3.:
The following example Deny all TCP traffic from our internal network 192.168.1.0/24 to the external network 200.1.1.0/24. He also denied the HTTP (port 80) from our internal network from the external host 210.1 .1.1. All other traffic is allowed from the inside.

ciscoasa (config) # access-list extended deny tcp 192.168.1.0 255.255.255.0 255.255.255.0 200.1.1.0 INSIDE_IN
ciscoasa (config ) # access-list extended deny tcp 192.168.1.0 255.255.255.0 host INSIDE_IN 210.1.1.1 eq 80
ciscoasa (config) # access-list extended permit ip any any INSIDE_IN ciscoasa
(config) # access- INSIDE_IN group in the interface from within

Cisco PIX