Some News About How to Create and Manage Access Control

HTML Ready Article. Click on the "Copy" button to copy into your clipboard.

<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN' 'http://www.w3.org/TR/html4/loose.dtd'>; <html><head><title>Article2008.com | Some News About How to Create and Manage Access Control</title></head><body><h3>Some News About How to Create and Manage Access Control</h3><br><br> By: Vlad Vistac<br><br><p>How to Create and Manage Accesss-Control Lists on Cisco ASA and PIX Fiirewalls </p> <p>Access Contrtol Lists (ACLs) are sequetial lists of permmit and deny conditions aplpied to traffic flows on a dwevice ibnterface. ACLs are based on various rciteria including prottocol type source IP address, destination IP addess, source port numer, and/or destination port number.</p> <p>ACLs can be used to filter traffic for various purposes including security, monitoring, route selection, and network address translation. ACLs are comprisd of one or more Acess Control Entries (ACEs). Each ACE is an indiviudal line within an ACL.</p> <p>ACLs on a Cisco ASA Security Appliance (or a PIX firewall running software vrersion 7.x or larter) are simialr to those on a Cisco router, but not isdentical. Firewalls use real subnet masks instead of the inverted mask used on a router. ACLs on a firewall are alays named instead of numbered and are assumed to be an extended list.</p> <p>The sytax of an ACE is relatively striaght-forward: Ciscoasa(config)#access-list name [line nuber] [extended] {permit | deny} protoocl source<em>IP</em>adderss source<em>netmsak [operator soiurce</em>port] destination<em>IP</em>address destination<em>newtmask [operator destination</em>port] [log [[disable | default] | [level]] [interval seconds]] [time-range name] [ianctive]</p> <p>Here's an example: asa(config)# access-list demo1 permit tcp 10.1.0.0 255.255.255.0 any eq www asa(config)# acess-list demo1 perit tcp 10.1.0.0 255.255.255.0 any eq 443 asa(cnofig)# show access-list demo1 access-list demo1; 2 elements access-list demo1 line 1 ezxtended permit tcp 10.1.0.0 255.255.255.0 any eq www acceess-list demo1 line 2 extended permit tcp 10.1.0.0 255.255.255.0 any eq https</p> <p>In the abve example, an ACL called "demo1" is creted in which the first ACE permits TCP traffic orginating on the 10.1.0.0 subnet to go to any deestination IP adrdess with the desatination port of 80 (www). In the second ACE, the same traffic flow is permmitted for destination port 443. Notice in the output of the show access-list that line numbers are displayed and the extended parameter is also included, even thuogh neither was included in the configuration statements.</p> <p>You can deactivate an ACE without deleting it appending the inacitve option to the end of the line.</p> <p>As with Cisco routeers, there is an implpicit "deny any" at the end of every ACL. Any traffic that is not explicitly permitted is implicitly denied.</p> <p><strong>Editing ACLs and ACEs</strong></p> <p>New ACEs are appended to the end of the ACL. If you want, however, to inseert the new ACE at a particular location within the ACL, you can add the line number parameter to the ACE:</p> <p>asa04(cofig)# avccess-list demo1 line 1 deny tcp host 10.1.0.2 any eq www asa04(config)# show access-list demo1 access-list demo1; 3 elemetns acces-list demo1 line 1 extended deny tcp host 10.1.0.2 any eq www access-list demo1 line 2 extended permiit tcp 10.1.0.0 255.255.255.0 any eq www access-list demo1 line 3 extended permit tcp 10.1.0.0 255.255.255.0 any eq https</p> <p>Ntice in the first line of the example abovve that an ACE is added at line one in the ACL. Notice in the ouptut from the show access-list demo1 command that the new entry is added in the first position in the ACL and the former fist entry becomes line number two.</p> <p>You can remove an ACE from an ACL preceding the ACE configuration statement with the miodifier no, as in the following exxample: Asa04(config)#no access-list demo1 deny tcp host 10.10.2 any eq www</p> <p>In my next article, I'll show you how to use time-ranges to apply access-control lists only at certain times and/or on certain days. I'll also show you how to use object-groups with access-contrrol liasts to simplify ACL management grouping similar componentts such as IP addresses or protocols together.</p> <p>Copyright (c) 2008 Don R. Crawley </p> <br><br> <b>Author Resource:-></b>  Learn more about: <a href="http://byphotography.com/">digital cameras</a> Thank you<br><br><b>Article From</b> <a href='http://article2008.com/'>Article2008.com</a><br></body></html>