Implementing Access-list through Cisco ASA firewalls
Access Control list is a list of allow or deny users to share network resources, usually implemented with comprehensive pre-defined rules and regulations committed with an entity. Along with the explicitly denying or allowing policy implementation , conditions may also applied on data traffic which is based on different measures including protocol, source and destination IP address, source and destination port numbers.
Working with Cisco ASA; it uses inbound and outbound ACLs:
- Inbound—Inbound access lists apply to traffic as it enters an interface.
- Outbound—Outbound access lists apply to traffic as it exits an interface
Normally we use ACL to allow selected services , uses through filter topology on network traffic, it means ACL provides an additional level of security over default firewall options, moreover , we can use and implement ACL for monitoring purpose as well along with , route selection, network address translation and to control and host access.
Implementation Examples:
To implement outbound access list ( to allow with the specific port 8000 )
host name(config)# access-list 102 extended permit tcp host 10.1.10.4 host 172.19.99.225 eq 8000
To Permit Local Network
access-list acl_permit permit ip 172.16.99.0 0.0.0.255
To permit/Deny for All
{Permit/deny} ip any any
Using ASA GUI Mode Via ASDM:
Unix was the first which provided us the first ever file based ACL with chmod’ command. Now with the increasing growth of network’s deployment scenarios, it is being working on“Defense in Depth “strategy for any IT infrastructure,i.e. ACL now provides an additional layer of network security.
While creating or implementing access list, the implementer must keep in view about the possible outcomes , monitoring CPU and Memory usage of the router or firewall before and after applying the access list is must . “Show access-list” command can help a lot for all these.