Basic ACL Statements
Feb 04,2010 00:00 by alperen

Basic ACL Statements

PIX ACLs can be used to control connections based on source address, destination address, or protocol information. Because many ACLs are created to allow outside access into the more secure areas of the network, configuring them carefully to allow only the minimum access required is important. Whenever possible, configure ACLs more restrictively by specifying a remote source address, local destination address, and the protocol used, thereby reducing the likelihood of unwanted additional traffic. The any and host keywords are implemented the same as in IOS ACLs. Use the no form of the command to remove the ACL entry. The basic syntax is

Pix(config)# access-list acl_id {deny | permit} protocol {source_addr | local_addr}
{source_mask | local_mask}[operator port [port_id] {dest_addr | remote_addr}
{dest_mask | remote_mask} [operator port [port_id]

acl_id

ACL name. This can be either a name or a number.

permit

Used with the access-group command, permit allows the packet to traverse the PIX Firewall. Default is to deny all inbound or outbound traffic.

Used with a crypto map command, permit selects a packet for IPSec protection using the policy described by the corresponding crypto map command statements.

deny

Used with the access-group command, deny doesn’t allow a packet to traverse the PIX Firewall. Default is to deny all inbound or outbound traffic.

Used with a crypto map command statement, deny prevents the traffic from being protected by IPSec in the context of that particular crypto map entry.

protocol

Name or number of an IP protocol. Choices include one of the keywords ip, tcp, udp, icmp, or an integer (1 to 254) representing an IP protocol number. Use keyword ip to include IP, ICMP, TCP, and UDP.

source_addr

Source network or host address. Use for ACL statement with access-group, the aaa match access-list command, and the aaa authorization command.

local_addr

Network or host address local to the PIX Firewall. Use local_addr with ACL statements for a crypto access-list statement, a nat 0 access-list statement, or a vpngroup split-tunnel statement.

source_mask

Netmask mask to be applied to source_addr.

local_mask

Netmask mask to be applied to local_addr.

operator

Comparison operator: lt—less than, gt—greater than, eq—equal, neq—not equal, and range—inclusive range. ACL command without an operator and port indicates all ports by default.

port port_id

Keyword followed by port identifier. Can be a number (0 to 65,535) or a literal, such as www (port 80) or smtp (port 25).

dest_addr

Destination network or host address. Use for ACL statement with access-group, the aaa match access-list, and aaa authorization commands.

remote_addr

Network or host address remote to the PIX Firewall. Use local_addr with ACL statements for a crypto access-list statement, a nat 0 access-list statement, or a vpngroup split-tunnel statement.

dest_mask

Netmask mask to be applied to dest_addr.

remote_mask

Netmask mask to be applied to remote_addr.

In the following example, a static mapping is created for a server, and then outside users are allowed to access that global address for web and FTP activities.

Pix(config)# static (dmz,outside) 1.1.1.3 192.168.2.3
Pix(config)# access-list tcp_ok permit tcp any host 1.1.1.3 eq www
Pix(config)# access-list tcp_ok permit tcp any host 1.1.1.3 eq ftp
Pix(config)# access-group tcp_ok in interface outside