Header
Home | Set as homepage | Add to favorites
Sections
Syndication


Blogroll:

||||| ALL Cisco-Network ARTICLES |||||  
CCIE Journey,
The CCIE Journey, 

Home : CCSP-Cisco Certified Security Professional : Basic ACL Statements

Basic ACL Statements

image


 

Basic ACL Statements

PIX ACLs can be used to control connections based on source address, destination address, or protocol information. Because many ACLs are created to allow outside access into the more secure areas of the network, configuring them carefully to allow only the minimum access required is important. Whenever possible, configure ACLs more restrictively by specifying a remote source address, local destination address, and the protocol used, thereby reducing the likelihood of unwanted additional traffic. The any and host keywords are implemented the same as in IOS ACLs. Use the no form of the command to remove the ACL entry. The basic syntax is

Pix(config)# access-list acl_id {deny | permit} protocol {source_addr | local_addr}
{source_mask | local_mask}[operator port [port_id] {dest_addr | remote_addr}
{dest_mask | remote_mask} [operator port [port_id]

acl_id

ACL name. This can be either a name or a number.

permit

Used with the access-group command, permit allows the packet to traverse the PIX Firewall. Default is to deny all inbound or outbound traffic.

Used with a crypto map command, permit selects a packet for IPSec protection using the policy described by the corresponding crypto map command statements.

deny

Used with the access-group command, deny doesn’t allow a packet to traverse the PIX Firewall. Default is to deny all inbound or outbound traffic.

Used with a crypto map command statement, deny prevents the traffic from being protected by IPSec in the context of that particular crypto map entry.

protocol

Name or number of an IP protocol. Choices include one of the keywords ip, tcp, udp, icmp, or an integer (1 to 254) representing an IP protocol number. Use keyword ip to include IP, ICMP, TCP, and UDP.

source_addr

Source network or host address. Use for ACL statement with access-group, the aaa match access-list command, and the aaa authorization command.

local_addr

Network or host address local to the PIX Firewall. Use local_addr with ACL statements for a crypto access-list statement, a nat 0 access-list statement, or a vpngroup split-tunnel statement.

source_mask

Netmask mask to be applied to source_addr.

local_mask

Netmask mask to be applied to local_addr.

operator

Comparison operator: lt—less than, gt—greater than, eq—equal, neq—not equal, and range—inclusive range. ACL command without an operator and port indicates all ports by default.

port port_id

Keyword followed by port identifier. Can be a number (0 to 65,535) or a literal, such as www (port 80) or smtp (port 25).

dest_addr

Destination network or host address. Use for ACL statement with access-group, the aaa match access-list, and aaa authorization commands.

remote_addr

Network or host address remote to the PIX Firewall. Use local_addr with ACL statements for a crypto access-list statement, a nat 0 access-list statement, or a vpngroup split-tunnel statement.

dest_mask

Netmask mask to be applied to dest_addr.

remote_mask

Netmask mask to be applied to remote_addr.

In the following example, a static mapping is created for a server, and then outside users are allowed to access that global address for web and FTP activities.

Pix(config)# static (dmz,outside) 1.1.1.3 192.168.2.3
Pix(config)# access-list tcp_ok permit tcp any host 1.1.1.3 eq www
Pix(config)# access-list tcp_ok permit tcp any host 1.1.1.3 eq ftp
Pix(config)# access-group tcp_ok in interface outside
37 times read

Related news
» ICMP ACL Statements
by alperen posted on Feb 04,2010
» Using Access Lists-Access-Group Statement
by alperen posted on Feb 04,2010
» Step 3-3 Configure Crypto ACLs
by alperen posted on Sep 27,2009
» Extended Access Lists
by alperen posted on Mar 24,2010
» Conduit Statements
by alperen posted on Feb 04,2010
Did you enjoy this article?
1 2 3 4 5
(total 0 votes)

comment Comments (0 posted) 

More Top News
CCSP-Cisco Certified Security Professional
arrow Cisco SAFE Implementation
arrow Preparation Documents
arrow Exam Topics
arrow Skills Required for the Exam
arrow Cisco SAFE Implementation Questions and Answers
arrow Access Control Lists Cisco
arrow Access List Basics
arrow Standard Access Lists
arrow Verifying ACLs
arrow Extended Access Lists
arrow TCP Access Lists
arrow UDP Access Lists
arrow ICMP Access Lists
arrow Named Access Lists
arrow Signature and Alarm Management Review
arrow Signature and Alarm Management Review Questions and Answers
arrow Event Viewer
arrow Managing Alarms
arrow Event Viewer Customization
arrow Preference Settings
arrow Sensor Installation
arrow Connecting to Your Network Sensor Appliance
arrow Sensor Bootstrap
arrow Sensor Installation and Configuration Review
arrow Sensor Installation and Configuration Questions and Answers
arrow Signature and Alarm Management
arrow CIDS Signatures
arrow Signature Series
arrow Signature Implementations
arrow Signature Classes
arrow Signature Types
arrow Signature Severity
Most Popular
Most Commented
Featured Author

alperen

image
<| Cisco Articles | Maximum Learning | All Cisco-Network Study Notes | Privacy Policy |>
Website Statistics
If you think you own the material being used without permission, contact alperenmad[at]hotmail.com. material will be removed from the site.