Escolar Documentos
Profissional Documentos
Cultura Documentos
The Cisco ASA firewall uses access-lists that are similar to the ones on IOS routers and switches.
If you have no idea how access-lists work then its best to read my introduction to access-lists
first.
Without any access-lists, the ASA will allow traffic from a higher security level to a lower
security level. All other traffic is dropped. If you have no idea what security levels on the ASA
are about then read this post first.
Access-lists are created globally and then applied with the access-group command. They can be
applied in- or outbound.
There are a couple of things you should know about access-lists on the ASA:
When you create an ACL statement for outbound traffic (higher to lower
security level) then the source IP address is the real address of the host or
network (not the NAT translated one).
When you create an ACL statement for inbound traffic (lower to higher
security level) then the destination IP address has to be:
Lets take a look at some examples how we can use access-lists. Ill be using this topology:
We have three devices, R1 on the inside, R2 on the outside and R3 in the DMZ. This means that
by default the following traffic is allowed:
Lets look at an example first where we restrict traffic from the inside as by default, all traffic is
allowed.
This traffic is allowed by default, lets create an access-list that restricts HTTP traffic. Well
create something so that users on the inside are not allowed to connect to the HTTP server on R2.
All other traffic will be permitted:
ASA1(config)# access-list INSIDE_INBOUND deny tcp any host 192.168.2.2 eq 80
ASA1(config)# access-list INSIDE_INBOUND permit ip any any
The access-group command enables the access-list called INSIDE_INBOUND inbound on the
INSIDE interface. Lets see if we can still reach the HTTP server on R2:
R1#telnet 192.168.2.2 80
Trying 192.168.2.2, 80 ...
% Connection refused by remote host
As expected the ASA is dropping this packet because of our deny statement. Using an access-list
like this is useful to deny some traffic from hosts that is headed towards the Internet or DMZ.
Lets continue with another example
This access-list will permit traffic from any device that wants to connect with IP address
192.168.3.3 on TCP port 23. Lets activate it:
ASA1(config)# access-group OUTSIDE_INBOUND in interface OUTSIDE
This access-list is now activate on the OUTSIDE traffic and applied to inbound traffic. Lets test
it by telnetting from R2 to R3:
R2#telnet 192.168.3.3
Great we are able to connect from R2 to R3. Lets verify this on the ASA:
ASA1# show access-list OUTSIDE_INBOUND
access-list OUTSIDE_INBOUND; 1 elements; name hash: 0x82be59f0
access-list OUTSIDE_INBOUND line 1 extended permit tcp any host 192.168.3.3 eq
telnet (hitcnt=1) 0x19e795c8
You can see that we have a hit on our permit statement. Last but not least, lets take a look at an
example where we use an access-list for outbound traffic