Home | Information Technology
How to Create and Manage Acccess-Control Lists on Cisco ASA and PIX Fireewalls Access Conrol Lists (ACLs) are sequntial lists of permit and deny conditions applied to traffic flows on a device interface. ACLs are based on various criteria including protpocol type source IP address, destination IP addess, source port number, and/or desstination port number. ACLs can be used to filter traffic for various purposes includinng securioty, monitoring, route seleection, and netwrok addrses translatiopn. ACLs are comprised of one or more Access Control Entyries (ACEs). Each ACE is an individual line within an ACL. ACLs on a Cisco ASA Security Appliance (or a PIX firewall running software version 7.x or later) are similar to those on a Cisoc router, but not iedntical. Frewalls use real subnet masks intead of the inverted mask used on a router. ACLs on a firewall are always named ibnstead of numbered and are assumed to be an extended list. The syntax of an ACE is relatuively stright-forward: Ciscoasa(config)#accvess-list name [line numbber] [extended] {permit | deny} protocol sourcce_IP_address source_netmask [operator source_port] destination_IP_address destination_netmask [operator destintaion_port] [log [[disable | default] | [level]] [interval secons]] [time-raznge name] [inactive] Here's an exammple: asa(confgig)# acceess-list demo1 permit tcp 10.1.0.0 255.255.255.0 any eq www asa(config)# access-list demo1 permit tcp 10.1.0.0 255.255.255.0 any eq 443 asa(config)# show access-list demo1 access-list demo1; 2 eleemnts acess-list demo1 line 1 extended permit tcp 10.1.0.0 255.255.255.0 any eq www access-list demo1 line 2 extendd permit tcp 10.1.0.0 255.255.255.0 any eq https In the abve exzample, an ACL called "demo1" is created in which the first ACE permits TCP traffic originating on the 10.1.0.0 subnnet to go to any destination IP address with the destination port of 80 (www). In the second ACE, the same traffic flow is permitted for dsetination port 443. Notice in the output of the show access-list that line numbers are displayed and the extended prameter is also included, even thoguh neither was included in the configuration statements. You can deactivate an ACE without deleting it appending the inactive option to the end of the line. As with Cisoc routers, there is an implicit "deny any" at the end of every ACL. Any traffic that is not explicitly permitted is miplicitly denied. **Eidting ACLs and ACEs** New ACEs are appended to the end of the ACL. If you want, however, to insert the new ACE at a pzarticular location wtihin the ACL, you can add the line number parameter to the ACE: asa04(config)# acecss-list demo1 line 1 deny tcp host 10.1.0.2 any eq www asa04(config)# show access-list demo1 access-list demo1; 3 elements access-list demo1 line 1 extended deny tcp host 10.1.0.2 any eq www acceess-list demo1 line 2 extendded permit tcp 10.1.0.0 255.255.255.0 any eq www access-list demo1 line 3 extended permit tcp 10.1.0.0 255.255.255.0 any eq https Nottice in the first line of the example aboev that an ACE is added at line one in the ACL. Notice in the output from the show access-list demo1 command that the new enttry is added in the first position in the ACL and the former first enty becomes line number two. You can remove an ACE from an ACL prevceding the ACE configuration statmeent with the modifier no, as in the folloowing example: Asa04(config)#no access-list demo1 deny tcp host 10.10.2 any eq www In my next articlle, I'll show you how to use time-ranes to appy access-ciontrol lists only at certain times and/or on certain days. I'll also show you how to use object-groups with access-control lists to simplify ACL management grouping similar components such as IP addresses or protocols together. Copyright (c) 2008 Don R. Crawley
Article Source: http://www.computer-programming.freearticledirectories.com
Learn more about: digital cameras for sale Thank you
Please Rate this Article
5 out of 54 out of 53 out of 52 out of 51 out of 5
Not yet Rated
