Using Access Lists-Access-Group Statement

If internal users could be allowed to venture unrestricted into less-secure areas, bringing back whatever they find, and outside access to the network was absolutely forbidden, it might be possible to get by without using ACLs.

Properly crafted access lists, applied to the proper interfaces, should allow for creating just the right exceptions to maintain acceptable security, while enabling activities that are required to further the organization’s mission. All exceptions created with access lists should conform to the security policy. In the next sections, you see a variety of access list implementations.

Use the configuration mode access-group command to apply an access list to an interface. The ACL is applied to inbound traffic of the interface. If the matching ACL statement is a Permit option, PIX allows the packet. If the matching ACL statement is a Deny option or no matching statement exists, PIX discards the packet and generates a syslog message. Use the no form of the command to remove the entry. The syntax is

Pix(config)# access-group acl_id in interface int_name
Pix(config)# no access-group acl_id in interface int_name

An access-group command always overrides the conduit and outbound command statements for the specific interface.

The show access-group command displays the current access list applied to interfaces.

In the following example, the static command creates a global address of 1.1.1.3 for a DMZ web server at 192.168.2.3. The access-list statement allows any outside host to access the global address for the web server using port 80 (www). The access-group command applies the access list to traffic entering the outside interface.

Pix(config)# static (dmz,outside) 1.1.1.3 192.168.2.3
Pix(config)# access-list www_ok permit tcp any host 1.1.1.3 eq www
Pix(config)# access-group www_ok in interface outside