DreamPirates DreamPirates

How to Configure Access Control Lists on a Cisco ASA 5500 Firewall

Author : Elizabeth Huston789
Publish Date : 2021-04-17 06:54:39
How to Configure Access Control Lists on a Cisco ASA 5500 Firewall

The Cisco ASA 5500 is the new Cisco firewall model series which followed the successful Cisco PIX firewall appliance. Cisco calls the ASA 5500 a "security appliance" instead of just a "hardware firewall", because the ASA is not just a firewall. This device combines several security functionalities, such as Intrusion Detection, Intrusion Prevention, Content Inspection, Botnet Inspection, in addition to the firewall functionality.

However, the core ASA functionality is to work as a high performance firewall. All the other security features are just complimentary services on top of the firewall functionality. Having said that, the purpose of a network firewall is to protect computer and IT resources from malicious sources by blocking and controlling traffic flow. The Cisco ASA firewall achieves this traffic control using Access Control Lists (ACL).

An ACL is a list of rules with permit or deny statements. Basically an Access Control List enforces the security policy on the network. The ACL (list of policy rules) is then applied to a firewall interface, either on the inbound or on the outbound traffic direction. If the ACL is applied on the inbound traffic direction (in), then the ACL is applied to traffic entering a firewall interface. The opposite happens for ACL applied to the outbound (out) direction.

The ACL permit or deny statements basically consist of source and destination IP addresses and ports. A permit ACL statement allows the specified source IP address/network to access the specified destination IP address/network. The opposite happens for deny ACL statements. At the end of the ACL, the firewall inserts by default an implicit DENY ALL statement rule which is not visible in the configuration.

Enough theory so far. Let us see some examples below to clarify what we have said above.

The basic command format of the Access Control List is the following:

ciscoasa(config)# access-list "access_list_name" extended {deny | permit} protocol "source_address" "mask" [source_port] "dest_address" "mask" [ dest_port]
To apply the ACL on a specific interface use the access-group command as below:
ciscoasa(config)# access-group "access_list_name" [in|out] interface "interface_name"

Example1:
Allow only http traffic from inside network 10.0.0.0/24 to outside internet

ciscoasa(config)# access-list HTTP-ONLY extended permit tcp 10.0.0.0 255.255.255.0 any eq 80
ciscoasa(config)# access-group HTTP-ONLY in interface inside

The name "HTTP-ONLY" is the Access Control List itself, which in our example contains only one permit rule statement. Remember that there is an implicit DENY ALL rule at the end of the ACL which is not shown by default.

Example2:
Deny telnet traffic from host 10.1.1.1 to host 10.2.2.2 and allow everything else.

ciscoasa(config)# access-list DENY-TELNET extended deny tcp host 10.1.1.1 host 10.2.2.2 eq 23
ciscoasa(config)# access-list DENY-TELNET extended permit ip host 10.1.1.1 host 10.2.2.2
ciscoasa(config)# access-group DENY-TELNET in interface inside

The above example ACL (DENY-TELNET) contains two rule statements, one deny and one permit. As we mentioned above, the "access-group" command applies the ACL to an interface (either to an inbound or to an outbound direction).

Example3:
The example below will deny ALL TCP traffic from our internal network 192.168.1.0/24 towards the external network 200.1.1.0/24. Also, it will deny HTTP traffic (port 80) from our internal network to the external host 210.1.1.1. All other traffic will be permitted from inside.

 

https://exedprograms.kellogg.northwestern.edu/eportfolios/1333/Home/Real_GPHR_Exam
https://exedprograms.kellogg.northwestern.edu/eportfolios/1333/Home/Ideal_GR1_Exam
https://exedprograms.kellogg.northwestern.edu/eportfolios/1333/Home/Visionary_GSEC_Exam
https://exedprograms.kellogg.northwestern.edu/eportfolios/1333/Home/Ideal_GSuite_Exam
https://exedprograms.kellogg.northwestern.edu/eportfolios/1333/Home/Ideal_H11828_Exam

 

 

ciscoasa(config)# access-list INSIDE_IN extended deny tcp 192.168.1.0 255.255.255.0 200.1.1.0 255.255.255.0
ciscoasa(config)# access-list INSIDE_IN extended deny tcp 192.168.1.0 255.255.255.0 host 210.1.1.1 eq 80
ciscoasa(config)# access-list INSIDE_IN extended permit ip any any
ciscoasa(config)# access-group INSIDE_IN in interface inside

Harris Andrea is a Cisco Certified Professional ( CCNA Certification, CCNP, CCSP) with more than 10 years experience in the networking field. He is currently employed as a senior network engineer in a leading ISP company. He has designed and implemented several projects involving Cisco ASA firewalls and other Cisco products and technologies.

You can visit his website below for more information about Cisco products and solutions. You can also learn how to configure any Cisco ASA 5500 Firewall Here.
The Cisco ASA 5500 is the new Cisco firewall model series which followed the successful Cisco PIX firewall appliance. Cisco calls the ASA 5500 a "security appliance" instead of just a "hardware firewall", because the ASA is not just a firewall. This device combines several security functionalities, such as Intrusion Detection, Intrusion Prevention, Content Inspection, Botnet Inspection, in addition to the firewall functionality.

However, the core ASA functionality is to work as a high performance firewall. All the other security features are just complimentary services on top of the firewall functionality. Having said that, the purpose of a network firewall is to protect computer and IT resources from malicious sources by blocking and controlling traffic flow. The Cisco ASA firewall achieves this traffic control using Access Control Lists (ACL).

An ACL is a list of rules with permit or deny statements. Basically an Access Control List enforces the security policy on the network. The ACL (list of policy rules) is then applied to a firewall interface, either on the inbound or on the outbound traffic direction. If the ACL is applied on the inbound traffic direction (in), then the ACL is applied to traffic entering a firewall interface. The opposite happens for ACL applied to the outbound (out) direction.

The ACL permit or deny statements basically consist of source and destination IP addresses and ports. A permit ACL statement allows the specified source IP address/network to access the specified destination IP address/network. The opposite happens for deny ACL statements. At the end of the ACL, the firewall inserts by default an implicit DENY ALL statement rule which is not visible in the configuration.

Enough theory so far. Let us see some examples below to clarify what we have said above.

The basic command format of the Access Control List is the following:

ciscoasa(config)# access-list "access_list_name" extended {deny | permit} protocol "source_address" "mask" [source_port] "dest_address" "mask" [ dest_port]
To apply the ACL on a specific interface use the access-group command as below:
ciscoasa(config)# access-group "access_list_name" [in|out] interface "interface_name"

Example1:
Allow only http traffic from inside network 10.0.0.0/24 to outside internet

ciscoasa(config)# access-list HTTP-ONLY extended permit tcp 10.0.0.0 255.255.255.0 any eq 80
ciscoasa(config)# access-group HTTP-ONLY in interface inside

The name "HTTP-ONLY" is the Access Control List itself, which in our example contains only one permit rule statement. Remember that there is an implicit DENY ALL rule at the end of the ACL which is not shown by default.

Example2:
Deny telnet traffic from host 10.1.1.1 to host 10.2.2.2 and allow everything else.

ciscoasa(config)# access-list DENY-TELNET extended deny tcp host 10.1.1.1 host 10.2.2.2 eq 23
ciscoasa(config)# access-list DENY-TELNET extended permit ip host 10.1.1.1 host 10.2.2.2
ciscoasa(config)# access-group DENY-TELNET in interface inside

The above example ACL (DENY-TELNET) contains two rule statements, one deny and one permit. As we mentioned above, the "access-group" command applies the ACL to an interface (either to an inbound or to an outbound direction).

Example3:
The example below will deny ALL TCP traffic from our internal network 192.168.1.0/24 towards the external network 200.1.1.0/24. Also, it will deny HTTP traffic (port 80) from our internal network to the external host 210.1.1.1. All other traffic will be permitted from inside.

ciscoasa(config)# access-list INSIDE_IN extended deny tcp 192.168.1.0 255.255.255.0 200.1.1.0 255.255.255.0
ciscoasa(config)# access-list INSIDE_IN extended deny tcp 192.168.1.0 255.255.255.0 host 210.1.1.1 eq 80
ciscoasa(config)# access-list INSIDE_IN extended permit ip any any
ciscoasa(config)# access-group INSIDE_IN in interface inside

Harris Andrea is a Cisco Certified Professional ( CCNA Certification, CCNP, CCSP) with more than 10 years experience in the networking field. He is currently employed as a senior network engineer in a leading ISP company. He has designed and implemented several projects involving Cisco ASA firewalls and other Cisco products and technologies.

You can visit his website below for more information about Cisco products and solutions. You can also learn how to configure any Cisco ASA 5500 Firewall Here.



Category : general

Pick School in Abu Dhabi Smartly for your Child

Pick School in Abu Dhabi Smartly for your Child

- Before you pick an international school for your children, look at these reliably disregarded pointers from genuine guardians like you.


New and Emerging IT Certifications - Portfolio 2013

New and Emerging IT Certifications - Portfolio 2013

- The newly launched and latest IT certifications speak volumes to the prospective hiring managers. Besides, validating your skills for prospective employers.


Microsoft Certified Partners - The Basics Explained

Microsoft Certified Partners - The Basics Explained

- Have you seen the term Microsoft Certified Partner or MCP and not known what it meant? An MCP is an independent company that offers its clients Microsoft relate


If an individual focuses on familial skills such as Music

If an individual focuses on familial skills such as Music

- Education is equally important but without skills it is ineffective to transform either individual or organization. Individuals excel