Wednesday, April 30, 2008

How to Create and Manage Cisco ASA and PIX Access-Control Lists

Access Control Lists (ACLs) are sequential lists of permit and deny conditions applied to traffic flows on a device interface. ACLs are based on various criteria including protocol type source IP address, destination IP address, source port number, and/or destination port number. ACLs can be used to filter traffic for various purposes including security, monitoring, route selection, and network address translation.

ACLs are comprised of one or more Access Control Entries (ACEs). Each ACE is an individual line within an ACL. ACLs on a Cisco ASA Security Appliance (or a PIX firewall running software version 7.x or later) are similar to those on a Cisco router, but not identical. Firewalls use real subnet masks instead of the inverted mask used on a router. ACLs on a firewall are always named instead of numbered and are assumed to be an extended list.

The syntax of an ACE is relatively straight-forward:

asa(config)#access-list name [line number] [extended] {permit deny} protocol source_IP_address source_netmask [operator source_port] destination_IP_address destination_netmask [operator destination_port] [log [[disable default] [level]] [interval seconds]] [time-range name] [inactive]

Here's an example:

asa(config)# access-list demo1 permit tcp any eq www
asa(config)# access-list demo1 permit tcp any eq 443
asa(config)# show access-list demo1
access-list demo1; 2 elements
access-list demo1 line 1 extended permit tcp any eq www
access-list demo1 line 2 extended permit tcp any eq https

In the above example, an ACL called "demo1" is created in which the first ACE permits TCP traffic originating on the subnet to go to any destination IP address with the destination port of 80 (www). In the second ACE, the same traffic flow is permitted for destination port 443. Notice in the output of the show access-list that line numbers are displayed and the extended parameter is also included, even though neither was included in the configuration statements.

You can deactivate an ACE without deleting it by appending the inactive option to the end of the line.

As with Cisco routers, there is an implicit "deny any" at the end of every ACL. Any traffic that is not explicitly permitted is implicitly denied.

Editing ACLs and ACEs

New ACEs are appended to the end of the ACL. If you want, however, to insert the new ACE at a particular location within the ACL, you can add the line number parameter to the ACE:

asa(config)# access-list demo1 line 1 deny tcp host any eq www
asa(config)# show access-list demo1
access-list demo1; 3 elements
access-list demo1 line 1 extended deny tcp host any eq www
access-list demo1 line 2 extended permit tcp any eq www
access-list demo1 line 3 extended permit tcp any eq https

Notice in the first line of the example above that an ACE is added at line one in the ACL. Notice in the output from the show access-list demo1 command that the new entry is added in the first position in the ACL and the former first entry becomes line number two.

You can remove an ACE from an ACL by preceding the ACE configuration statement with the modifier no, as in the following example:

asa04(config)#no access-list demo1 deny tcp host 10.10.2 any eq www

In my next post, I'll show you how to use time-ranges to apply access-control lists only at certain times and/or on certain days. I'll also show you how to use object-groups with access-control lists to simplify ACL management by grouping similar components such as IP addresses or protocols together.

Wednesday, April 23, 2008

We're heading to California with Cisco training

We've just added California dates for our Cisco Router Training and Cisco ASA Training seminars.

Here are the Cisco router training dates for California:

  • Sacramento: July 22/23
  • San Francisco: July 24/25
  • Los Angeles (Buena Park/Anaheim area): September 15/16
  • Los Angeles (LAX area): September 17/18

Here are the Cisco ASA training dates for California:

  • Sacramento: August 25/26
  • San Francisco: August 27/28
  • Los Angeles (Buena Park/Anaheim area): October 14/15
  • Los Angeles (LAX area): October 16/17

Registration is now open at

See you in class in California!

Friday, April 18, 2008

A Free SCP Utility

I just ran across a very cool, open-source SCP/SFTP utility called WinSCP. I have a business hosting account with 1and1 which includes SSH access. This utility allows me to configure my SSH credentials and then use a Windows Explorer or Norton Commander style of interface to move files back and forth. Very cool. Had to share it with you. Download it here. Let me know what you think.

Wednesday, April 16, 2008

Eight Basic Commands to Configure a Cisco ASA Security Appliance

Note:  This post has been updated to reflect changes in NAT/PAT configuration.  View the updated post here.  There is also a video demonstrating this process using the newer commands here.

There are literally thousands of commands and sub-commands available to configure a Cisco security appliance. As you gain knowledge of the appliance, you will use more and more of the commands. Initially, however, there are just a few commands required to configure basic functionality on the appliance. Basic functionality is defined as allowing inside hosts to access outside hosts, but not allowing outside hosts to access the inside hosts. Additionally, management must be allowed from at least one inside host. Here are eight basic commands:

The interface command identifies either the hardware interface or the VLAN interface that will be configured. Once in interface configuration mode, you can assign physical interfaces to switchports and enable them (turn them on) or you can assign names and security levels to VLAN interfaces.

The nameif command gives the interface a name and assigns a security level. Typical names are outside, inside, or DMZ.

Security levels are used by the appliance to control traffic flow. Traffic is permitted to flow from interfaces with higher security levels to interfaces with lower security levels, but not the other way. Access-lists must be used to permit traffic to flow from lower security levels to higher security levels. Security levels range from 0 to 100. The default security level for an outside interface is 0. For an inside interface, the default security level is 100.In the following sample configuration, the interface command is first used to name the inside and outside VLAN interfaces, then the DMZ interface is named and a security level of 50 is assigned to it.
ciscoasa(config)# interface vlan1
ciscoasa(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ciscoasa(config-if)# interface vlan2
ciscoasa(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
ciscoasa(config-if)#interface vlan3
ciscoasa(config-if)# nameif dmz
ciscoasa(config-if)# security-level 50

ip address
The ip address command assigns an IP address to a VLAN interface either statically or by making it a DHCP client. With modern versions of security appliance software, it is not necessary to explicitly configure default subnet masks. If you are using non-standard masks, you must explicitly configure the mask, but otherwise, it's not necessary.In the following sample configuration, an IP address is assigned to VLAN 1, the inside interface.
ciscoasa(config-if)# interface vlan 1
ciscoasa(config-if)# ip address

switchport access
The switchport access command on the ASA 5505 security appliance assigns a physical interface to a logical (VLAN) interface. In the next example, the interface command is used to identify physical interfaces, assign them to switchports on the appliance, and enable them (turn them on) through the use of the "no shutdown" statement.
ciscoasa(config-if)# interface ethernet 0/0
ciscoasa(config-if)# switchport access vlan 2
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# interface ethernet 0/1
ciscoasa(config-if)# switchport access vlan 1
ciscoasa(config-if)# no shutdown

The nat command enables network address translation on the specified interface for the specified subnet.In this sample, configuration, NAT is enabled on the inside interface for hosts on the subnet. The number "1" is the NAT I.D. which will be used by the global command to associate a global address or pool with the inside addresses. (Note: NAT 0 is used to prevent the specified group of addresses from being translated.)
ciscoasa(config)# nat (inside) 1

The global command works in tandem with the nat command. It identifies the interface (usually outside) through which traffic from nat'ed hosts (usually inside hosts) must flow. It also identifies the global address which nat'ed hosts will use to connect to the outside world.In the following sample, the hosts associated with NAT I.D. 1 will use the global address on the outside interface.
ciscoasa(config)# global (outside) 1

In this additional example of the use of the "global" command, the interface statement tells the firewall that hosts associated with NAT I.D. 1 will use the DHCP-assigned global address on the outside interface.
ciscoasa(config)# global (outside) 1 interface

The route command, in its most basic form, assigns a default route for traffic, typically to an ISP's router. It can also be used in conjunction with access-lists to send specific types of traffic to specific hosts on specific subnets.In this sample configuration, the route command is used to configure a default route to the ISP's router at The two zeroes before the ISP's router address are shorthand for an IP address of and a mask of The statement outside identifies the interface through which traffic will flow to reach the default route.
ciscoasa(config-if)# route outside 0 0

The above commands create a very basic firewall, but frankly, using a sophisticated device such as a Cisco PIX or ASA security appliance to perform such basic firewall functions is overkill. Other commands to use include hostname to identify the firewall, telnet or SSH to allow remote administration, DHCPD commands to allow the firewall to assign IP addresses to inside hosts, and static route and access-list commands to allow internal hosts such as DMZ Web servers or DMZ mail servers to be accessible to Internet hosts. Obviously, if you're using a device such as an ASA or a PIX, you'll probably be doing a lot more with it than simply setting up a basic firewall, but the above commands will provide a foundation for the more complex configurations.

For more step-by-step guides on the ASA, please check out my book The Accidental Administrator: Cisco ASA Security Appliance: A Step-by-Step Configuration Guide, available on, Barnes and Noble, and other channels.

Based on the two-day workshop Cisco ASA Training: Two-Day Hands-On Workshop from (