Cisco ASA Access Lists Concepts and Configuration

Cisco ASA Access Lists Concepts and Configuration >
http://www.ciscopress.com/articles/article.asp?p=2104953
Hello philboye
Account
Log Out
Search
Cart 1 item: $9.99
Home
Store
Certification Info
Cisco Networking Academy
Safari Books Online
Authors
Chapters & Articles
Explore
Home > Articles > Network Technology > General Networking > Cisco ASA Access Lists Concepts and Configuration
You May Also Like

Designing Networks and Services in the Cloud By Muhammad Abid, Sudhir Modali, Huseni Saboowala Jul 12, 2013
By Sean Wilkins. Article is provided courtesy of Cisco Press. Date: Jun 27, 2013. Save Digg Del.icio.us Print Email
An Overview of Cisco IOS Versions and Naming By Sean Wilkins Jun 28, 2013 Cisco IOS Image Concepts and Configuration By Sean Wilkins Jun 28, 2013
Article Information
Article Description
Sean Wilkins review Ciscos Adaptive Security Appliance (ASA) implementation of access control lists (ACL or access list). He also covers ASA access list types, what they control, and a basic review of what the configuration syntax is to use them.
From the author of

Designing for Cisco Internetwork Solutions (DESGN) Foundation Learning Guide: (CCDA DESGN 640-864), 3rd Edition $55.99 (Save 20%) See All Related Articles
Search Related Safari Books
Search electronic versions of over 1500 technical books:
Overview
For those just getting into the network security arena or into Cisco network security specifically, it can be a little interesting to wrap the mind around all the different technologies and features that can be used to secure the network. Along with these different tools comes a great amount of control that can be used to secure the intended target network (or networks). Of course, like anything else, it is easy to misconfigure a network security device; however, the difference between misconfiguring a router and a network security firewall is risk. Although the effects of misconfiguring a router can be felt by many, it typically affects the use of an authorized network; the misconfiguration of a network firewall can affect the unauthorized use of a private network, which greatly
Search
1 of 5
25/07/2013 02:07
increases risk. This is what makes the correct configuration of these devices even more important. The purpose of this article is to review Ciscos Adaptive Security Appliance (ASA) implementation of access control lists (ACL or access list). This article covers ASA access list types, what they control, and a basic review of what the configuration syntax is to use them.
ASA ACL Types

Because many of the people who transition into Cisco network security have some amount of router experience, much of the review of available ASA ACL types will sound familiar. There are some differences, though; so, pay attention to the little things.
Standard ACLs
Unlike on other platforms, the ASA does not support the use of standard ACLs for controlling traffic. They are used only in some limited Open Shortest Path First (OSPF) configurations.
Extended ACLs
The majority of ACLs that will most likely be implemented on an ASA are using the extended ACL type. As with other platforms, the extended ACL is used to specify both source and destination and can include information about the specific protocol being matched. Note that when you are configuring an ASA the ASA does not, by default (implicit rule), allow traffic to flow from a lower-security interface to a higher-security interface. Unless a specific extended ACL is configured, no traffic can flow in this direction (although it is allowed in the other direction). The exception to this is when the traffic is returning from a connection established within the higher-security interface, but this is valid only when the traffic protocol is TCP or UDP. (Internet Control Message Protocol [ICMP] requires a defined rule for both outgoing and returning traffic.)
EtherType ACLs
EtherType ACLs are used to control traffic that matches a specific EtherType. Note that when configuring an EtherType ACL there is an implicit deny attached. This EtherType ACL statement does not affect IP traffic that was already allowed through an extended ACL.
ASA ACL Configuration

Because the majority of ASA ACL configurations are going to be using an extended ACL type, this section focuses on the configuration of this type and shows an example of how they can be used to control some basic traffic. Table 1 shows the commands required to set up an extended ACL.
2 of 5
25/07/2013 02:07
Table 1 - Extended ACL Configuration
1 2 3
Enter privileged EXEC mode. Enter global configuration mode. Create and configure an extended ACL entry(ACE) Repeat as needed.
asa> enable asa#configure terminal
asa(config)#access-list acl-name extended {deny | permit} {protocol-name | protocol-number} {any | host sourceNote ip-address | source-ip-address sourcenetmask} {any | host destinationThis has been simplified with the ip-address | destination-ip-address most basic options for the purposes destination-netmask} [operator port [port]] of this article. Note Note that masks are not inverse.
Apply the ACL to the appropriate interface. Note The interface-name is matched with the configured nameif value.
asa(config)#access-group acl-name {in | out} interface interface-name
ASA ACL Configuration Example

To clarify the configuration of an extended ACL, this section goes over an example of how they can be used to control traffic, along with their interaction with implicit ACL rules. The purpose of the sample configuration is to allow all IP (including ICMP) traffic to be allowed from IP 172.16.1.10, which currently resides off of the Left interface to IP 192.168.1.100, which currently resides off of the Right interface; this is shown in Figure 1.
3 of 5
25/07/2013 02:07
Figure 1 ASA ACL Topology Example An important thing to keep in mind is the current configuration of the security levels. Remember that the traffic going from a higher-security level to a lower-security level is permitted by default. The steps shown in Table 2 include all the steps that are required to put this ASA into this configuration. Enter privileged EXEC mode. Enter global configuration mode. Enter interface configuration mode. Configure an interface IP address. asa>enable asa#configure terminal asa(config)#interface e0 asa(config-if)#ip address 172.16.1.1 255.255.255.0 asa(config-if)#nameif Left asa(config-if)#security-level 50 asa(config-if)#no shutdown asa(config-if)#interface e1 asa(config-if)#ip address 192.168.1.1 255.255.255.0 asa(config-if)#nameif Right asa(config-if)#security-level 75 asa(config-if)#no shutdown asa(config-if)#access-list Left-to-Right extended permit ip host 172.16.1.10 host 192.168.1.100
1 2 3 4
5 6 7 8 9
Configure an interface name. Configure an interface security level. Enable the interface. Enter interface configuration mode. Configure an interface IP address.
10 Configure an interface name. 11 Configure an interface security level. 12 Enable the interface. 13 Create and configure an Extended ACL entry (ACE).
4 of 5
25/07/2013 02:07
14 Apply the ACL to the appropriate interface. Note The interface-name is matched with the configured nameif value.
asa(config)#access-group Left-to-Right in interface Left
Note that an ACL entry was needed for traffic going from Left to Right. This is because the Left interface was configured with a security level that was lower than that of the Right interface. Remember, again, that traffic is permitted by default (this behavior can be altered) from higher-security levels to lower-security levels.
Summary
For those with little or no experience, the idea of an ACL can be quite overwhelming. Ensure that enough time is taken when studying to understand how they work and how they are configured to get the intended results. For those looking for additional hands-on ASA experience, check out GNS3, which does have the capability to emulate an ASA environment (similar to Dynamips/Dynagen). For those just getting into network security but who have some amount of Cisco device knowledge, the transition into the ASA platform is not quite as hard. Although a number of small differences exist between the routing/switching platforms and the ASA platform, they are certainly close enough that the learning curve should not be too steep. From this article, you should now have a basic understanding of ACLs on the ASA platform that you can call on when needed. Return to Beginning
About
Affiliates
Cisco Systems, Inc.
Contact Us
FAQ
Jobs
Legal Notice
Privacy Policy
Site Help
Site Map
Write for Us
Pearson Education, Cisco Press. All rights reserved. 800 East 96th Street, Indianapolis, Indiana 46240
5 of 5
25/07/2013 02:07

Cisco ASA Access Lists Concepts and Configuration

Transféré par

Informations du document

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Cisco ASA Access Lists Concepts and Configuration

Transféré par

Droits d'auteur :

Formats disponibles

Cisco ASA Access Lists Concepts and Configuration >

Cart 1 item: $9.99

Cisco Networking Academy

Safari Books Online

Chapters & Articles

You May Also Like

From the author of

Search Related Safari Books

Search electronic versions of over 1500 technical books: