Get a better and safer maibox


 

mail-vault.net keyword stats



Most current MSN search phrases:

mailbox common
great Unique Mailboxes

How to Create and Manage Access-control Lists on Cisco Asa and Pix Firewalls

Copyright  (c)  2008  Don  R.  Crawleydestination port 443. Notice in the output
of the show access-list that line numbers are
Access Control Lists (ACLs) are sequentialdisplayed and the extended parameter is also
lists of permit and deny conditions appliedincluded, even though neither was included in
to traffic flows on a device interface. ACLsthe  configuration  statements.
are based on various criteria including
protocol type source IP address, destinationYou can deactivate an ACE without deleting it
IP address, source port number, and/orby appending the inactive option to the end
destination  port  number.of  the  line.
ACLs can be used to filter traffic forAs with Cisco routers, there is an implicit
various purposes including security,"deny any" at the end of every ACL. Any
monitoring, route selection, and networktraffic that is not explicitly permitted is
address translation. ACLs are comprised ofimplicitly  denied.
one or more Access Control Entries (ACEs).
Each ACE is an individual line within an ACL.**Editing  ACLs  and  ACEs**
ACLs on a Cisco ASA Security Appliance (or aNew ACEs are appended to the end of the ACL.
PIX firewall running software version 7.x orIf you want, however, to insert the new ACE
later) are similar to those on a Ciscoat a particular location within the ACL, you
router, but not identical. Firewalls usecan add the line number parameter to the
real subnet masks instead of the invertedACE:asa04(config)# access-list demo1 line 1
mask used on a router. ACLs on a firewalldeny tcp host 10.1.0.2 any eq
are always named instead of numbered and arewwwasa04(config)# show access-list
assumed  to  be  an  extended  list.demo1access-list demo1; 3 elementsaccess-list
demo1 line 1 extended deny tcp host 10.1.0.2
The syntax of an ACE is relativelyany eq wwwaccess-list demo1 line 2 extended
straight-forward:permit tcp 10.1.0.0 255.255.255.0 any eq
wwwaccess-list demo1 line 3 extended permit
Ciscoasa(config)#access-list name [linetcp  10.1.0.0  255.255.255.0  any  eq  https
number] [extended] {permit | deny} protocol
source_IP_address source_netmask [operatorNotice in the first line of the example above
source_port] destination_IP_addressthat an ACE is added at line one in the ACL.
destination_netmask [operatorNotice in the output from the show
destination_port] [log [[disable | default] |access-list demo1 command that the new entry
[level]] [interval seconds]] [time-rangeis added in the first position in the ACL and
name]  [inactive]the former first entry becomes line number
two.
Here's an example:asa(config)# access-list
demo1 permit tcp 10.1.0.0 255.255.255.0 anyYou can remove an ACE from an ACL by
eq wwwasa(config)# access-list demo1 permitpreceding the ACE configuration statement
tcp 10.1.0.0 255.255.255.0 any eqwith the modifier no, as in the following
443asa(config)# show access-listexample:
demo1access-list demo1; 2 elementsaccess-list
demo1 line 1 extended permit tcp 10.1.0.0Asa04(config)#no access-list demo1 deny tcp
255.255.255.0 any eq wwwaccess-list demo1host  10.10.2  any  eq  www
line 2 extended permit tcp 10.1.0.0
255.255.255.0  any  eq  httpsIn my next article, I'll show you how to use
time-ranges to apply access-control lists
In the above example, an ACL called "demo1"only at certain times and/or on certain days.
is created in which the first ACE permits TCPI'll also show you how to use object-groups
traffic originating on the 10.1.0.0 subnet towith access-control lists to simplify ACL
go to any destination IP address with themanagement by grouping similar components
destination port of 80 (www). In the secondsuch as IP addresses or protocols together.
ACE, the same traffic flow is permitted for



1 A B C D E 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126