How to Create and Manage Access-control Lists on Cisco Asa and Pix Firewalls

Copyright (c) 2008 Don R. Crawleydestination port 443. Notice in the output of the show
Access Control Lists (ACLs) are sequential lists ofaccess-list that line numbers are displayed and the
permit and deny conditions applied to traffic flows on aextended parameter is also included, even though
device interface. ACLs are based on various criterianeither was included in the configuration statements.
including protocol type source IP address, destination IPYou can deactivate an ACE without deleting it by
address, source port number, and/or destination portappending the inactive option to the end of the line.
number.As with Cisco routers, there is an implicit "deny any" at
ACLs can be used to filter traffic for various purposesthe end of every ACL. Any traffic that is not explicitly
including security, monitoring, route selection, andpermitted is implicitly denied.
network address translation. ACLs are comprised of**Editing ACLs and ACEs**
one or more Access Control Entries (ACEs). EachNew ACEs are appended to the end of the ACL. If
ACE is an individual line within an ACL.you want, however, to insert the new ACE at a
ACLs on a Cisco ASA Security Appliance (or a PIXparticular location within the ACL, you can add the line
firewall running software version 7.x or later) are similarnumber parameter to the ACE:asa04(config)#
to those on a Cisco router, but not identical. Firewallsaccess-list demo1 line 1 deny tcp host 10.1.0.2 any eq
use real subnet masks instead of the inverted maskwwwasa04(config)# show access-list
used on a router. ACLs on a firewall are alwaysdemo1access-list demo1; 3 elementsaccess-list demo1
named instead of numbered and are assumed to beline 1 extended deny tcp host 10.1.0.2 any eq
an extended list.wwwaccess-list demo1 line 2 extended permit tcp
The syntax of an ACE is relatively straight-forward:10.1.0.0 255.255.255.0 any eq wwwaccess-list demo1
Ciscoasa(config)#access-list name [line number]line 3 extended permit tcp 10.1.0.0 255.255.255.0 any eq
[extended] {permit | deny} protocol source_IP_addresshttps
source_netmask [operator source_port]Notice in the first line of the example above that an
destination_IP_address destination_netmask [operatorACE is added at line one in the ACL. Notice in the
destination_port] [log [[disable | default] | [level]] [intervaloutput from the show access-list demo1 command
seconds]] [time-range name] [inactive]that the new entry is added in the first position in the
Here's an example:asa(config)# access-list demo1ACL and the former first entry becomes line number
permit tcp 10.1.0.0 255.255.255.0 any eqtwo.
wwwasa(config)# access-list demo1 permit tcp 10.1.0.0You can remove an ACE from an ACL by preceding
255.255.255.0 any eq 443asa(config)# showthe ACE configuration statement with the modifier no,
access-list demo1access-list demo1; 2as in the following example:
elementsaccess-list demo1 line 1 extended permit tcpAsa04(config)#no access-list demo1 deny tcp host
10.1.0.0 255.255.255.0 any eq wwwaccess-list demo110.10.2 any eq www
line 2 extended permit tcp 10.1.0.0 255.255.255.0 any eqIn my next article, I'll show you how to use time-ranges
httpsto apply access-control lists only at certain times and
In the above example, an ACL called "demo1" isor on certain days. I'll also show you how to use
created in which the first ACE permits TCP trafficobject-groups with access-control lists to simplify ACL
originating on the 10.1.0.0 subnet to go to any destinationmanagement by grouping similar components such as
IP address with the destination port of 80 (www). InIP addresses or protocols together.
the second ACE, the same traffic flow is permitted for