DreamPirates DreamPirates

How to Configure Access Control Lists on a Cisco ASA 5500 Firewall

Author : Elizabeth Huston789
Publish Date : 2021-04-17 06:54:39
How to Configure Access Control Lists on a Cisco ASA 5500 Firewall

The Cisco ASA 5500 is the new Cisco firewall model series which followed the successful Cisco PIX firewall appliance. Cisco calls the ASA 5500 a "security appliance" instead of just a "hardware firewall", because the ASA is not just a firewall. This device combines several security functionalities, such as Intrusion Detection, Intrusion Prevention, Content Inspection, Botnet Inspection, in addition to the firewall functionality.

However, the core ASA functionality is to work as a high performance firewall. All the other security features are just complimentary services on top of the firewall functionality. Having said that, the purpose of a network firewall is to protect computer and IT resources from malicious sources by blocking and controlling traffic flow. The Cisco ASA firewall achieves this traffic control using Access Control Lists (ACL).

An ACL is a list of rules with permit or deny statements. Basically an Access Control List enforces the security policy on the network. The ACL (list of policy rules) is then applied to a firewall interface, either on the inbound or on the outbound traffic direction. If the ACL is applied on the inbound traffic direction (in), then the ACL is applied to traffic entering a firewall interface. The opposite happens for ACL applied to the outbound (out) direction.

The ACL permit or deny statements basically consist of source and destination IP addresses and ports. A permit ACL statement allows the specified source IP address/network to access the specified destination IP address/network. The opposite happens for deny ACL statements. At the end of the ACL, the firewall inserts by default an implicit DENY ALL statement rule which is not visible in the configuration.

Enough theory so far. Let us see some examples below to clarify what we have said above.

The basic command format of the Access Control List is the following:

ciscoasa(config)# access-list "access_list_name" extended {deny | permit} protocol "source_address" "mask" [source_port] "dest_address" "mask" [ dest_port]
To apply the ACL on a specific interface use the access-group command as below:
ciscoasa(config)# access-group "access_list_name" [in|out] interface "interface_name"

Example1:
Allow only http traffic from inside network 10.0.0.0/24 to outside internet

ciscoasa(config)# access-list HTTP-ONLY extended permit tcp 10.0.0.0 255.255.255.0 any eq 80
ciscoasa(config)# access-group HTTP-ONLY in interface inside

The name "HTTP-ONLY" is the Access Control List itself, which in our example contains only one permit rule statement. Remember that there is an implicit DENY ALL rule at the end of the ACL which is not shown by default.

Example2:
Deny telnet traffic from host 10.1.1.1 to host 10.2.2.2 and allow everything else.

ciscoasa(config)# access-list DENY-TELNET extended deny tcp host 10.1.1.1 host 10.2.2.2 eq 23
ciscoasa(config)# access-list DENY-TELNET extended permit ip host 10.1.1.1 host 10.2.2.2
ciscoasa(config)# access-group DENY-TELNET in interface inside

The above example ACL (DENY-TELNET) contains two rule statements, one deny and one permit. As we mentioned above, the "access-group" command applies the ACL to an interface (either to an inbound or to an outbound direction).

Example3:
The example below will deny ALL TCP traffic from our internal network 192.168.1.0/24 towards the external network 200.1.1.0/24. Also, it will deny HTTP traffic (port 80) from our internal network to the external host 210.1.1.1. All other traffic will be permitted from inside.

 

https://exedprograms.kellogg.northwestern.edu/eportfolios/1333/Home/Real_GPHR_Exam
https://exedprograms.kellogg.northwestern.edu/eportfolios/1333/Home/Ideal_GR1_Exam
https://exedprograms.kellogg.northwestern.edu/eportfolios/1333/Home/Visionary_GSEC_Exam
https://exedprograms.kellogg.northwestern.edu/eportfolios/1333/Home/Ideal_GSuite_Exam
https://exedprograms.kellogg.northwestern.edu/eportfolios/1333/Home/Ideal_H11828_Exam

 

 

ciscoasa(config)# access-list INSIDE_IN extended deny tcp 192.168.1.0 255.255.255.0 200.1.1.0 255.255.255.0
ciscoasa(config)# access-list INSIDE_IN extended deny tcp 192.168.1.0 255.255.255.0 host 210.1.1.1 eq 80
ciscoasa(config)# access-list INSIDE_IN extended permit ip any any
ciscoasa(config)# access-group INSIDE_IN in interface inside

Harris Andrea is a Cisco Certified Professional ( CCNA Certification, CCNP, CCSP) with more than 10 years experience in the networking field. He is currently employed as a senior network engineer in a leading ISP company. He has designed and implemented several projects involving Cisco ASA firewalls and other Cisco products and technologies.

You can visit his website below for more information about Cisco products and solutions. You can also learn how to configure any Cisco ASA 5500 Firewall Here.
The Cisco ASA 5500 is the new Cisco firewall model series which followed the successful Cisco PIX firewall appliance. Cisco calls the ASA 5500 a "security appliance" instead of just a "hardware firewall", because the ASA is not just a firewall. This device combines several security functionalities, such as Intrusion Detection, Intrusion Prevention, Content Inspection, Botnet Inspection, in addition to the firewall functionality.

However, the core ASA functionality is to work as a high performance firewall. All the other security features are just complimentary services on top of the firewall functionality. Having said that, the purpose of a network firewall is to protect computer and IT resources from malicious sources by blocking and controlling traffic flow. The Cisco ASA firewall achieves this traffic control using Access Control Lists (ACL).

An ACL is a list of rules with permit or deny statements. Basically an Access Control List enforces the security policy on the network. The ACL (list of policy rules) is then applied to a firewall interface, either on the inbound or on the outbound traffic direction. If the ACL is applied on the inbound traffic direction (in), then the ACL is applied to traffic entering a firewall interface. The opposite happens for ACL applied to the outbound (out) direction.

The ACL permit or deny statements basically consist of source and destination IP addresses and ports. A permit ACL statement allows the specified source IP address/network to access the specified destination IP address/network. The opposite happens for deny ACL statements. At the end of the ACL, the firewall inserts by default an implicit DENY ALL statement rule which is not visible in the configuration.

Enough theory so far. Let us see some examples below to clarify what we have said above.

The basic command format of the Access Control List is the following:

ciscoasa(config)# access-list "access_list_name" extended {deny | permit} protocol "source_address" "mask" [source_port] "dest_address" "mask" [ dest_port]
To apply the ACL on a specific interface use the access-group command as below:
ciscoasa(config)# access-group "access_list_name" [in|out] interface "interface_name"

Example1:
Allow only http traffic from inside network 10.0.0.0/24 to outside internet

ciscoasa(config)# access-list HTTP-ONLY extended permit tcp 10.0.0.0 255.255.255.0 any eq 80
ciscoasa(config)# access-group HTTP-ONLY in interface inside

The name "HTTP-ONLY" is the Access Control List itself, which in our example contains only one permit rule statement. Remember that there is an implicit DENY ALL rule at the end of the ACL which is not shown by default.

Example2:
Deny telnet traffic from host 10.1.1.1 to host 10.2.2.2 and allow everything else.

ciscoasa(config)# access-list DENY-TELNET extended deny tcp host 10.1.1.1 host 10.2.2.2 eq 23
ciscoasa(config)# access-list DENY-TELNET extended permit ip host 10.1.1.1 host 10.2.2.2
ciscoasa(config)# access-group DENY-TELNET in interface inside

The above example ACL (DENY-TELNET) contains two rule statements, one deny and one permit. As we mentioned above, the "access-group" command applies the ACL to an interface (either to an inbound or to an outbound direction).

Example3:
The example below will deny ALL TCP traffic from our internal network 192.168.1.0/24 towards the external network 200.1.1.0/24. Also, it will deny HTTP traffic (port 80) from our internal network to the external host 210.1.1.1. All other traffic will be permitted from inside.

ciscoasa(config)# access-list INSIDE_IN extended deny tcp 192.168.1.0 255.255.255.0 200.1.1.0 255.255.255.0
ciscoasa(config)# access-list INSIDE_IN extended deny tcp 192.168.1.0 255.255.255.0 host 210.1.1.1 eq 80
ciscoasa(config)# access-list INSIDE_IN extended permit ip any any
ciscoasa(config)# access-group INSIDE_IN in interface inside

Harris Andrea is a Cisco Certified Professional ( CCNA Certification, CCNP, CCSP) with more than 10 years experience in the networking field. He is currently employed as a senior network engineer in a leading ISP company. He has designed and implemented several projects involving Cisco ASA firewalls and other Cisco products and technologies.

You can visit his website below for more information about Cisco products and solutions. You can also learn how to configure any Cisco ASA 5500 Firewall Here.



Category : general

Real P_S4FIN_1909 Test vce Braindumps

Real P_S4FIN_1909 Test vce Braindumps

- Certified Application Associate SAP Certified Application Associate - SAP SuccessFactors Performance and Goal Management 1H/2020 Exam of their variety.


Difference Between Concrete and Cement

Difference Between Concrete and Cement

- Here In this article i will provide you difference between concrete and cement. Find the difference between concrete and cement..


CRM Software - Comparing Microsoft Dynamics CRM To Salesforce

CRM Software - Comparing Microsoft Dynamics CRM To Salesforce

- CRM Software solutions are an integral part of the sales, marketing and customer service of most organisations. Today, CRM Software dwells far further than thes


Microsoft Dynamics GP Great Plains Technology Notes - Net, C#, eConnect

Microsoft Dynamics GP Great Plains Technology Notes - Net, C#, eConnect

- Microsoft Great Plains or current product name is Microsoft Dynamics GP, resent version is 10.0, just released in July 2007. Great Plains came the long way, bei