Manage Access List on a Cisco ASA or Pix

Manage Access List on a Cisco ASA or Pix

Issue: how to manage the access list on the cisco firewall

Affects: cisco pix and asa

Solutions to the issue: when a packet hit the external interface of the firewall, the firewall goes through the access list from top to bottom to see if the packet is allow to go through. When you enter a new access list in your configuration, it will be the last one of the access list entries, i.e. the last one to be checked. So if there is an entry denying some traffic then even if you new command allows it, it will not go through

for example:

you want to allow ftp traffic to your ftp server 1.2.3.4, so you will type access-list acl_out permit tcp any host 1.2.3.4 eq ftp

if you look at your current configuration you had a rule blocking all the ftp traffic, so you will never be able to FTP to your server.

access-list acl_out deny tcp any any eq ftp

access-list acl_out permit tcp any host 1.2.3.4 eq ftp

Solution: move the new rule before the one denying the traffic.

to see the position of the rules in the access-list table, type show access-list

you will see something like this:

access-list acl_out line 1 deny tcp any any eq ftp

access-list acl_out line 2 permit tcp any host 1.2.3.4 eq ftp

remove the rule you previously entered with the no command and re-enter it with the new position in the table:

access-list acl_out line 1 permit tcp any host 1.2.3.4 eq ftp

if you run show access-list, you will now see:

access-list acl_out line 1 permit tcp any host 1.2.3.4 eq ftp

access-list acl_out line 2 deny tcp any any eq ftp

now you can FTP to your server 🙂

Note that this is pretty important when you are trying to block traffic from specific IP. You want to block it as soon as it gets to the firewall so use line 1 that way you no it is on top of the list

mm
Steve Boullianne, High school drop-out. College drop-out. A go-go dancer in Amsterdam. LOVED computers, programmed satellites for AT&T. Founded IPSOFACTO in 1996, Y2K boom, Dot-Com boom, 2.0 boom. Likes his smallish company and human relationships; not into big anonymous IT. Loves to tell jokes. Loves and Hates technology; pick up the phone, ok? Thinks on line hook up sites have saved the world from AIDS and DateRape. Thinks his kids are better collaborators and world leaders thanks to video games. Is still a hip-hop dancer; is NOT a Brony. Loves San Francisco; Hates the homeless crisis. Tells young people to buy real estate, as soon as possible. Don’t rent. Hopes his final years are spent handing out blankets, food, clothes, and medical supplies.