| Copyright (c) 2008 Don R. Crawley | | | | flow is permitted for destination port 443. Notice |
| Access Control Lists (ACLs) are sequential lists of | | | | in the output of the show access-list that line |
| permit and deny conditions applied to traffic flows | | | | numbers are displayed and the extended |
| on a device interface. ACLs are based on various | | | | parameter is also included, even though neither |
| criteria including protocol type source IP address, | | | | was included in the configuration statements. |
| destination IP address, source port number, and | | | | You can deactivate an ACE without deleting it by |
| or destination port number. | | | | appending the inactive option to the end of the |
| ACLs can be used to filter traffic for various | | | | line. |
| purposes including security, monitoring, route | | | | As with Cisco routers, there is an implicit "deny |
| selection, and network address translation. ACLs | | | | any" at the end of every ACL. Any traffic that is |
| are comprised of one or more Access Control | | | | not explicitly permitted is implicitly denied. |
| Entries (ACEs). Each ACE is an individual line within | | | | **Editing ACLs and ACEs** |
| an ACL. | | | | New ACEs are appended to the end of the ACL. |
| ACLs on a Cisco ASA Security Appliance (or a | | | | If you want, however, to insert the new ACE at |
| PIX firewall running software version 7.x or later) | | | | a particular location within the ACL, you can add |
| are similar to those on a Cisco router, but not | | | | the line number parameter to the |
| identical. Firewalls use real subnet masks instead | | | | ACE:asa04(config)# access-list demo1 line 1 deny |
| of the inverted mask used on a router. ACLs on | | | | tcp host 10.1.0.2 any eq wwwasa04(config)# |
| a firewall are always named instead of numbered | | | | show access-list demo1access-list demo1; 3 |
| and are assumed to be an extended list. | | | | elementsaccess-list demo1 line 1 extended deny |
| The syntax of an ACE is relatively | | | | tcp host 10.1.0.2 any eq wwwaccess-list demo1 |
| straight-forward: | | | | line 2 extended permit tcp 10.1.0.0 255.255.255.0 |
| Ciscoasa(config)#access-list name [line number] | | | | any eq wwwaccess-list demo1 line 3 extended |
| [extended] {permit | deny} protocol | | | | permit tcp 10.1.0.0 255.255.255.0 any eq https |
| source_IP_address source_netmask [operator | | | | Notice in the first line of the example above that |
| source_port] destination_IP_address | | | | an ACE is added at line one in the ACL. Notice in |
| destination_netmask [operator destination_port] | | | | the output from the show access-list demo1 |
| [log [[disable | default] | [level]] [interval seconds]] | | | | command that the new entry is added in the first |
| [time-range name] [inactive] | | | | position in the ACL and the former first entry |
| Here's an example:asa(config)# access-list demo1 | | | | becomes line number two. |
| permit tcp 10.1.0.0 255.255.255.0 any eq | | | | You can remove an ACE from an ACL by |
| wwwasa(config)# access-list demo1 permit tcp | | | | preceding the ACE configuration statement with |
| 10.1.0.0 255.255.255.0 any eq 443asa(config)# | | | | the modifier no, as in the following example: |
| show access-list demo1access-list demo1; 2 | | | | Asa04(config)#no access-list demo1 deny tcp |
| elementsaccess-list demo1 line 1 extended permit | | | | host 10.10.2 any eq www |
| tcp 10.1.0.0 255.255.255.0 any eq wwwaccess-list | | | | In my next article, I'll show you how to use |
| demo1 line 2 extended permit tcp 10.1.0.0 | | | | time-ranges to apply access-control lists only at |
| 255.255.255.0 any eq https | | | | certain times and/or on certain days. I'll also show |
| In the above example, an ACL called "demo1" is | | | | you how to use object-groups with access-control |
| created in which the first ACE permits TCP traffic | | | | lists to simplify ACL management by grouping |
| originating on the 10.1.0.0 subnet to go to any | | | | similar components such as IP addresses or |
| destination IP address with the destination port of | | | | protocols together. |
| 80 (www). In the second ACE, the same traffic | | | | |