How to create and manage Access Control Lists on Cisco ASA and PIX Firewall

Copyright (c) 2008 Don R. Crawley />
Access Control Lists (ACLs) are sequential lists of permit conditions and deny, traffic on an interface device used. ACLs are on different criteria such as protocol type of the source IP, destination IP address, source port number and / or destination port number on.

ACLs can be used to traffic for various purposes, including security, monitoring, route selection and network address translation to filter. ACLs consist of one or more Access Control Entries (ACE). Each ACE is a single line in an ACL.

ACLs on a Cisco ASA Security Appliance (or a firewall running PIX version 7.x or higher software) are similar to those of a Cisco router, but not identical. Firewalls use subnet masks instead of the real inverted mask used on a router. ACLs on a firewall are always named in the place of issue and will be a long list.

The syntax of an ACE is relatively simple:
Ciscoasa (config) # access-list [name line-number] [extended] {permit | deny} protocol source_IP_address source_netmask [operator SOURCE_PORT] Destination_IP_address destination_netmask [operator DESTINATION_PORT] [log [[disable |] default | [level]] [interval seconds] ] [time-domain name] [inactif]

Here’s an example:
ASA (config) # access list demo1 permit tcp 10.1.0.0 255.255.255.0 any />
ASA (config) # access list demo1 permit tcp 10.1.0.0 255.255.255.0 any eq 443
ASA (config) # access-list demo1 show
access-list demo1; 2
elements
access-list demo1 line 1 extended permit tcp 10.1.0.0 255.255.255.0 any />
access-list demo1 line 2 extended permit tcp 10.1.0.0 255.255.255.0 any eq https

In the above example, called an ACL “demo1″ is created in which the first ace allows TCP traffic from subnet 10.1.0.0 to any destination IP address go to the destination port 80 (www). In the second ACE, the traffic is still allowed for 443 port of destination. Note to the output of the show access-list line numbers are displayed, and the extended parameter is also included, although neither was included in the consolidated configuration.

You can remove an ACE without it by the inactive option to disable the end of the line.

As with Cisco routers, there is an implicit “deny any” at the end of each ACL. All traffic is not explicitly allowed implicitly denied.

ACL edition ** and ** ACE

New ACE has until the end of the anterior cruciate ligament. However, if you to insert the new entry to a specific location within the ACL, you can add the parameter line number in the ACE:

asa04 (config) # access-list demo1 line 1 deny tcp any host 10.1.0.2 eq www
asa04 (config) # access-list demo1 show
access-list demo1, 3
elements
access-list demo1 line 1 extended deny tcp any host 10.1.0.2 eq www
access-list demo1 line 2 extended permit tcp 10.1.0.0 255.255.255.0 any />
access-list demo1 line 3 extended permit tcp 10.1.0.0 255.255.255.0 any eq https

Note the first line of the example above, that the ACE is a line added to the ACL. Note to the output of the show access-list demo1 command that the new entry is added in the first position in the ACL and the entry is the first former number two in line.

You can remove an ACE from an ACL by preceding the declaration of ACE configuration with the modifier do not like this example:
Asa04 (config) # access-list demo1 deny tcp any host eq not 10.10.2 www />
In my next article I’ll show how to use the time depends on the application of Access Control Lists, only at certain times and / or dates. I will also show how to simplify the use of object groups with Access Control Lists, ACL management by grouping together similar elements such as IP addresses or protocols.