Skip to main content

Access Control Lists (extended)


Access Control List or ACL is a technic of controling network traffic. It is a list of rules with which traffic flow can be manipulated - permitted or denied. By default, traffic flow from the interface with the higher security level (for example "inside" interface) to interface with the lower security level (example "outside" interface) is allowed by default, but the flow of traffic from "outside" to the "inside" interface must be explicitly permited. 

The syntax of acl is: 
access-list name extended permit | deny protocol source_IP destination_IP eq | gt | lt port

In the example below, "outside_in" is the name of acl, after which follows the keyword "extended" - which defines type of acl. After that folows the permit | deny statement. "Tcp" defines protocol (it can be udp, icmp, ip ...), "any" is the soure_IP (it can be a real IP address followed by the subnetmask, keyword "host" followed by the real IPaddress - defines specific host, or it can be keyword "any" like in our example which means it can be any address/all), 88.134.155.11 is destination_IP, "eq" stands for "equal" to ftp port 21. In other words, this access-list allows tcp traffic from any outside address to 88.134.155.11 on port 21. 

With the command access-group, acl "outside_in" is bound the the "outside" interface, and to the inbound intraffic. Acl needs to bind on a interface only once: 


ASA1(config)#access-list outside_in extended permit tcp any host 88.134.155.11 eq ftp ASA1(config)#access-group outside_in in interface outside

If You want to list all rules in specific access-list, use show acess-list with "access-list name"

ASA1#show access-list outside_in access-list outside_in line 13 extended permit icmp any host 88.134.155.11 (hitcnt=7136) 0xb06cf1cf access-list outside_in line 14 extended permit icmp any host 88.134.155.11 (hitcnt=4966) 0xa57a0327 access-list outside_in line 15 extended permit ip any host 88.134.155.12 (hitcnt=0) 0x0e84c7a9 access-list outside_in line 16 extended permit tcp any host 88.134.155.12 eq 3389 (hitcnt=0) 0xaa7f0a7f

Rules in acl-s are checked sequentially from top to bottom. Every rule in acl has a line number, so rules with lower line number are processed prior. Also every access-list has bult-in implicit "deny all" statement at the end, which is not visible with the "show access-list" command. This means that only explicitly permitted flow of traffic is allowed. 

If want to deny traffic from specific address, example from 78.234.5.22, You have to insert that rule in acl before "permit" rule that allows all traffic: 

ASA1(config)#access-list outside_in line 13 extended deny ip host 78.234.5.22 host 88.134.155.12 ASA1# ASA1#show access-list outside_in access-list outside_in line 13 extended deny ip host 78.234.5.22 host 88.134.155.12 (hitcnt=0) 0xb06cf1cf access-list outside_in line 14 extended permit icmp any host 88.134.155.11 (hitcnt=7136) 0xb06cf1cf access-list outside_in line 15 extended permit icmp any host 88.134.155.11 (hitcnt=4966) 0xa57a0327 access-list outside_in line 16 extended permit ip any host 88.134.155.12 (hitcnt=0) 0x0e84c7a9 access-list outside_in line 17 extended permit tcp any host 88.134.155.12 eq 3389 (hitcnt=0) 0xaa7f0a7f

Let's see couple of more examples.
Deny all traffic from 209.165.211.0 255.255.255.240 subnet: 

ASA1(config)#access-list outside_in line 1 extended deny ip 209.165.211.0 255.255.255.240 host 88.134.155.12

Deny web traffic traffic from 209.165.221.0 255.255.255.0 subnet to 88.134.155.12: 

ASA1(config)#access-list outside_in line 1 extended deny tcp 209.165.221.0 255.255.255.0 host 88.134.155.12 eq 80

Allow all traffic to ports greater than 11000 to address 88.134.155.12: 

ASA1(config)#access-list outside_in extended permit tcp any host 88.134.155.12 gt 11000

Allow icmp traffic from 88.134.155.12 to 149.145.221.34: 

ASA1(config)#access-list outside_in extended permit icmp host 149.145.221.34 host 88.134.155.12

Allow traffic to address 88.134.155.12 on a range of ports 11500-11600: 

ASA1(config)#access-list outside_in extended deny tcp any host 88.134.155.12 gt 11600 ASA1(config)#access-list outside_in extended permit tcp any host 88.134.155.12 gt 11500

Labels:

Comments

Post a Comment

Popular posts from this blog

Cisco three-layer hierarchical model

Because networks can be extremely complicated, with multiple protocols and diverse technologies, Cisco has developed a layered hierarchical model for designing a reliable network infrastructure. This three-layer model helps you design, implement, and maintain a scalable
Post a Comment
Read more

Debugging on Cisco ASA

Most of debuging on Cisco ASA can be done with simply entering  "debug"  in front of command for which we want to do debugging. For example if wanted to see/capture icmp traffic from user enter: 
Post a Comment
Read more

Classes of IP addresses

TCP/IP defines five classes of IP addresses: class A, B, C, D, and E. Each class has a range of valid IP addresses. The value of the first octet determines the class. IP addresses
Post a Comment
Read more