Ensure that enough time is taken when studying to understand how they work and how they are configured to get the intended results. Summaryįor those with little or no experience, the idea of an ACL can be quite overwhelming. Remember, again, that traffic is permitted by default (this behavior can be altered) from higher-security levels to lower-security levels. This is because the Left interface was configured with a security level that was lower than that of the Right interface. Note that an ACL entry was needed for traffic going from Left to Right. The interface-name is matched with the configured nameif value.Īsa(config)# access-group Left-to-Right in interface Left The steps shown in Table 2 include all the steps that are required to put this ASA into this configuration.Īsa(config-if)# ip address 172.16.1.1 255.255.255.0Īsa(config-if)# ip address 192.168.1.1 255.255.255.0Ĭreate and configure an Extended ACL entry (ACE).Īsa(config-if)# access-list Left-to-Right extended permit ip host 172.16.1.10 host 192.168.1.100Īpply the ACL to the appropriate interface. Remember that the traffic going from a higher-security level to a lower-security level is permitted by default. Table 1 - Extended ACL ConfigurationĬreate and configure an extended ACL entry(ACE) – Repeat as needed.Īn important thing to keep in mind is the current configuration of the security levels. Table 1 shows the commands required to set up an extended ACL. ASA ACL Configurationīecause the majority of ASA ACL configurations are going to be using an extended ACL type, this section focuses on the configuration of this type and shows an example of how they can be used to control some basic traffic. This EtherType ACL statement does not affect IP traffic that was already allowed through an extended ACL. Note that when configuring an EtherType ACL there is an implicit deny attached. (Internet Control Message Protocol requires a defined rule for both outgoing and returning traffic.) EtherType ACLsĮtherType ACLs are used to control traffic that matches a specific EtherType. ![]() The exception to this is when the traffic is returning from a connection established within the higher-security interface, but this is valid only when the traffic protocol is TCP or UDP. Unless a specific extended ACL is configured, no traffic can flow in this direction (although it is allowed in the other direction). Note that when you are configuring an ASA the ASA does not, by default (implicit rule), allow traffic to flow from a lower-security interface to a higher-security interface. As with other platforms, the extended ACL is used to specify both source and destination and can include information about the specific protocol being matched. The majority of ACLs that will most likely be implemented on an ASA are using the extended ACL type. They are used only in some limited Open Shortest Path First (OSPF) configurations. Unlike on other platforms, the ASA does not support the use of standard ACLs for controlling traffic. There are some differences, though so, pay attention to the little things. ASA ACL Typesīecause many of the people who transition into Cisco network security have some amount of router experience, much of the review of available ASA ACL types will sound familiar. This article covers ASA access list types, what they control, and a basic review of what the configuration syntax is to use them. The purpose of this article is to review Cisco’s Adaptive Security Appliance (ASA) implementation of access control lists (ACL or access list). This is what makes the correct configuration of these devices even more important. Although the effects of misconfiguring a router can be felt by many, it typically affects the use of an authorized network the misconfiguration of a network firewall can affect the unauthorized use of a private network, which greatly increases risk. Of course, like anything else, it is easy to misconfigure a network security device however, the difference between misconfiguring a router and a network security firewall is risk. ![]() Along with these different tools comes a great amount of control that can be used to secure the intended target network (or networks). For those just getting into the network security arena or into Cisco network security specifically, it can be a little interesting to wrap the mind around all the different technologies and features that can be used to secure the network.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |