All Pix

Access Control Lists (ACLs) are sequential lists of permit and deny conditions applied to traffic flows in a interface device. ACLs are based on various criteria, including type of source address of IP protocol, IP destination address, source port number and / or destination port number.

ACLs can be used to filter traffic for various purposes, including security, monitoring, route selection, and the network address translation. ACL consists of one or more access control entries (ACEs). Each ACE is an individual line within an ACL.

ACL in a router Cisco ASA Security Appliance (or a PIX firewall running software version 7.x or later) are similar to those of a Cisco router, but not identical. Servers security real subnet masks used instead of inverted mask used on a router. ACLs on a firewall are always named instead of numbers, and assume that an expanded list.

The syntax of an ECA is relatively simple:
Ciscoasa (config) # access-list name [line number] [extended] (permit | deny) protocol source_IP_address source_netmask [source_port operator] destination_netmask Destination_IP_address [destination_port operator] [log [[disable | default] | [Level]] [interval seconds]] [time-range name] [inactive]

Here's an example:
ASA (config) # access-list demo1 TCP permit 10.1.0.0 255.255.255.0 any eq www
ASA (config) # access-list demo1 permit TCP 10.1.0.0 255.255.255.0 any eq 443
ASA (config) # access show list demo1
access-list demo1; 2 items
access-list demo1 line 1 extended permit TCP 10.1.0.0 255.255.255.0 any eq www
access-list demo1 line 2 extended permit TCP 10.1.0.0 255.255.255.0 any eq https

In the above example, an ACL called "demo1" is created in which the first ACE permits TCP traffic originating on the 10.1.0.0 subnet to go to any destination IP address with destination port 80 (www). In the second ace, the same traffic flow allowed for the destination port 443. Notice in the output of the access list Show line numbers that are shown and extended the parameter is also included, although not included in the configuration states.

You can deactivate an ACE without deleting the option off adding to the end of the line.

As with Cisco routers, there is an implicit "deny any" at the end of each ACL. All traffic not explicitly allowed is implicitly denied.

** Edit ACL and ACE **

New ACE is appended to the end of the ACL. If desired, however, to insert the new ACE at a particular location within of the ACL, you can add the line number parameter to the ACE:

asa04 (config) # access-list demo1 line 1 deny TCP any host 10.1.0.2 www eq
asa04 (config) # access-list demo1 show
access-list demo1; 3 items
access-list demo1 line 1 extended deny TCP any host 10.1.0.2 eq www
access-list demo1 line 2 extended permit TCP 10.1.0.0 255.255.255.0 any eq www
access-list demo1 line 3 extended permit 10.1.0.0 255.255.255.0 TCP any eq https

Notice in the first line of the example above, an ACE is added to a line in the ACL. Notice in the output of the Display list access demo1 command of the new entry is added in the first position in the ACL and the first entry becomes line number two.

You can remove an ACE from an ACL by preceding the declaration of the configuration of the ACE with no modifier, as in the following example:
Asa04 (config) # no access-list demo1 deny TCP any host eq www 10.10.2

In my next article I'll show you how to use time-going to implement access control lists to only certain hours and / or on certain days. We will also show how to use objects to groups of access control lists to simplify ACL management by grouping of similar components, such as IP addresses or protocols together.

About the Author:

Don R. Crawley, CCNA-certified, is president and chief technologist at soundtraining.net, the Seattle training firm specializing in business skills and technical training for IT professionals. He works with IT pros to enhance their work, lives, and careers. For more information about soundtraining.net's accelerated Cisco ASA training, visit here.

Article Source: ArticlesBase.com - How to Create and Manage Access-control Lists on Cisco Asa and Pix Firewalls

All Pix

Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages.