How to Configure Access Control Lists on a Cisco ASA 5500 Series Firewall

An Access Control List (ACL) is the central configuration feature to enforce security rules on your network.

The Cisco ASA 5500 is the new Cisco firewall model series which followed the successful Cisco PIX firewall appliance. Cisco calls the ASA 5500 a “security appliance” instead of just a “hardware firewall”, because the ASA is not just a firewall. This device combines several security functionalities, such as Intrusion Detection, Intrusion Prevention, Content Inspection, Botnet Inspection, in addition to the firewall functionality.

However, the core ASA functionality is to work as a high performance firewall. All the other security features are just complimentary services on top of the firewall functionality. Having said that, the purpose of a network firewall is to protect computer and IT resources from malicious sources by blocking and controlling traffic flow. The Cisco ASA firewall achieves this traffic control using Access Control Lists (ACL).

An ACL is a list of rules with permit or deny statements. Basically an Access Control List enforces the security policy on the network. The ACL (list of policy rules) is then applied to a firewall interface, either on the inbound or on the outbound traffic direction. If the ACL is applied on the inbound traffic direction (in), then the ACL is applied to traffic entering a firewall interface. The opposite happens for ACL applied to the outbound (out) direction.

The ACL permit or deny statements basically consist of source and destination IP addresses and ports. A permit ACL statement allows the specified source IP address/network to access the specified destination IP address/network. The opposite happens for deny ACL statements. At the end of the ACL, the firewall inserts by default an implicit DENY ALL statement rule which is not visible in the configuration.

The basic command format of the Access Control List is the following:
ciscoasa(config)# access-list “access_list_name” extended {deny | permit} protocol “source_address” “mask” [source_port] “dest_address” “mask” [ dest_port]

To apply the ACL on a specific interface use the access-group command as below:
ciscoasa(config)# access-group “access_list_name” [in|out] interface “interface_name”

Example 1:

Allow only http traffic from inside network to outside internet

ciscoasa(config)# access-list HTTP-ONLY extended permit tcp any eq 80

ciscoasa(config)# access-group HTTP-ONLY in interface inside

The name “HTTP-ONLY” is the Access Control List itself, which in our example contains only one permit rule statement. Remember that there is an implicit DENY ALL rule at the end of the ACL which is not shown by default.

Example 2:

Deny telnet traffic from host to host and allow everything else.
ciscoasa(config)# access-list DENY-TELNET extended deny tcp host host eq 23

ciscoasa(config)# access-list DENY-TELNET extended permit ip host host

ciscoasa(config)# access-group DENY-TELNET in interface inside

The above example ACL (DENY-TELNET) contains two rule statements, one deny and one permit. As we mentioned above, the “access-group” command applies the ACL to an interface (either to an inbound or to an outbound direction).

Example 3:

The example below will deny ALL TCP traffic from our internal network towards the external network Also, it will deny HTTP traffic (port 80) from our internal network to the external host All other traffic will be permitted from inside.
ciscoasa(config)# access-list INSIDE_IN extended deny tcp

ciscoasa(config)# access-list INSIDE_IN extended deny tcp host eq 80

ciscoasa(config)# access-list INSIDE_IN extended permit ip any any

ciscoasa(config)# access-group INSIDE_IN in interface inside

4 Responses

  1. love spells says:

    What’s up,I log on to your new stuff named “How to Configure Access Control Lists on a Cisco ASA 5500 Series Firewall | Scott Brant” daily.Your story-telling style is witty, keep doing what you’re doing! And you can look our website about love spells.

Leave a Reply