Manage Access List on a Cisco ASA or Pix

Manage Access List on a Cisco ASA or Pix

Issue: how to manage the access list on the cisco firewall

Affects: cisco pix and asa

Solutions to the issue: when a packet hit the external interface of the firewall, the firewall goes through the access list from top to bottom to see if the packet is allow to go through. When you enter a new access list in your configuration, it will be the last one of the access list entries, i.e. the last one to be checked. So if there is an entry denying some traffic then even if you new command allows it, it will not go through

for example:

you want to allow ftp traffic to your ftp server 1.2.3.4, so you will type access-list acl_out permit tcp any host 1.2.3.4 eq ftp

if you look at your current configuration you had a rule blocking all the ftp traffic, so you will never be able to FTP to your server.

access-list acl_out deny tcp any any eq ftp

access-list acl_out permit tcp any host 1.2.3.4 eq ftp

Solution: move the new rule before the one denying the traffic.

to see the position of the rules in the access-list table, type show access-list

you will see something like this:

access-list acl_out line 1 deny tcp any any eq ftp

access-list acl_out line 2 permit tcp any host 1.2.3.4 eq ftp

remove the rule you previously entered with the no command and re-enter it with the new position in the table:

access-list acl_out line 1 permit tcp any host 1.2.3.4 eq ftp

if you run show access-list, you will now see:

access-list acl_out line 1 permit tcp any host 1.2.3.4 eq ftp

access-list acl_out line 2 deny tcp any any eq ftp

now you can FTP to your server 🙂

Note that this is pretty important when you are trying to block traffic from specific IP. You want to block it as soon as it gets to the firewall so use line 1 that way you no it is on top of the list

mm
Steve Boullianne, Multiple post-graduate degrees, Mind/Body/Spirit enthusiast, & a member of Mensa. Loves Skiing, Scuba, and Food. Steve’s First job out of college was programming satellites for AT&T. Founded IPSOFACTO in 1996, Y2K boom, e-Commerce super success, 2.1 boom. Steve is ready to Mediate high quality for all life, our one planet, and human kindness. Loves to dance and tell jokes. Steve believes that Excellent Communication is key to human success (and failure). Steve has 3 sons who are his STARS. They will carry the world into a brilliant future. Since 1996, Steve has been a volunteer drug and alcoholism counselor in the Bay Area. The power of the Great Spirit is in you. Steve is a good friend to have.