Issue: how to manage the access list on the cisco firewall

Affects: cisco pix and asa

Solutions to the issue: when a packet hit the external interface of the firewall, the firewall goes through the access list from top to bottom to see if the packet is allow to go through. When you enter a new access list in your configuration, it will be the last one of the access list entries, i.e. the last one to be checked. So if there is an entry denying some traffic then even if you new command allows it, it will not go through

for example:

you want to allow ftp traffic to your ftp server 1.2.3.4, so you will type access-list acl_out permit tcp any host 1.2.3.4 eq ftp

if you look at your current configuration you had a rule blocking all the ftp traffic, so you will never be able to FTP to your server.

access-list acl_out deny tcp any any eq ftp

access-list acl_out permit tcp any host 1.2.3.4 eq ftp

Solution: move the new rule before the one denying the traffic.

to see the position of the rules in the access-list table, type show access-list

you will see something like this:

access-list acl_out line 1 deny tcp any any eq ftp

access-list acl_out line 2 permit tcp any host 1.2.3.4 eq ftp

remove the rule you previously entered with the no command and re-enter it with the new position in the table:

access-list acl_out line 1 permit tcp any host 1.2.3.4 eq ftp

if you run show access-list, you will now see:

access-list acl_out line 1 permit tcp any host 1.2.3.4 eq ftp

access-list acl_out line 2 deny tcp any any eq ftp

now you can FTP to your server :-)

Note that this is pretty important when you are trying to block traffic from specific IP. You want to block it as soon as it gets to the firewall so use line 1 that way you no it is on top of the list

Comments:

Date of last update: 08-21-10

Author: Gaetan Barthelemy