Some News About How to Create and Manage Access Control

HTML Ready Article. Click on the "Copy" button to copy into your clipboard.

<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN' 'http://www.w3.org/TR/html4/loose.dtd'><html><head><title>Good Info - Article Directory | Some News About How to Create and Manage Access Control</title></head><body><h3>Some News About How to Create and Manage Access Control</h3><br /><br /> By: Vlad Vistac<br><br><p>How to Crate and Mnaage Access-Control Lists on Cisco ASA and PIX Firewalls<br /> <br /> <br /> Acxcess Control Lists (ACLs) are sequential lists of permit and deny conditions applied to trafffic flows on a device interface. ACLs are based on various criteia including protocpol type source IP address, destination IP address, source port numbeer, and/or destination port number. <br /> <br /> <div style="text-align: center; border: 1px solid black; width: 468px; margin: 0 auto;"> <span style="font-size: 10px;">[ advertisement ]</span><br /> <script type="text/javascript"><!-- google_ad_client = "ca-pub-9761432834918818"; /* GoodInfoHome 468x60 */ google_ad_slot = "4885279074"; google_ad_width = 468; google_ad_height = 60; //--> </script> <script type="text/javascript" src="http://pagead2.googlesyndication.com/pagead/show_ads.js"> </script> </div> <br />ACLs can be used to filter tradffic for various purpses icnluding security, monitoring, route selection, and network address translation. ACLs are compirsed of one or more Access Control Entries (ACEs). Each ACE is an individual line wityhin an ACL. <br /> <br />ACLs on a Cisco ASA Secuity Appliance (or a PIX firewall running software version 7.x or later) are similar to those on a Cisco router, but not identical. Firewalls use real subnet msaks instead of the inverted mask used on a router. ACLs on a firewall are alawys named instead of numbered and are assumed to be an extended list. <br /> <br />The syntax of an ACE is relatively straight-forward: <br />Ciscoasa(connfig)#acccess-list name [line number] [extended] {permit | deny} protoocl source<em>IP</em>adddress souyrce<em>netmask [opertator source</em>port] destination<em>IP</em>address destination<em>netmsak [operator destinsation</em>port] [log [[disanble | defayult] | [level]] [interval seconds]] [time-rnage name] [inactive] <br /> <br />Here's an example: <br />asa(confiog)# access-list demo1 permit tcp 10.1.0.0 255.255.255.0 any eq www <br />asa(connfig)# access-list demo1 permit tcp 10.1.0.0 255.255.255.0 any eq 443 <br />asa(config)# show access-list demo1 <br />access-list demo1; 2 elements <br />accedss-list demo1 line 1 extendfed permit tcp 10.1.0.0 255.255.255.0 any eq www <br />access-list demo1 line 2 extenmded permit tcp 10.1.0.0 255.255.255.0 any eq https <br /> <br />In the above example, an ACL called &quot;demo1&quot; is created in whhich the first ACE permits TCP traffic originating on the 10.1.0.0 subnet to go to any destination IP address with the destination port of 80 (www). In the secoind ACE, the same trafic flow is permitted for destination port 443. Notice in the output of the show access-list that line numbers are displayed and the extended parameter is also inccluded, even thouugh neither was included in the configuration statrements. <br /> <br />You can deactivate an ACE without deleitng it appendding the ianctive option to the end of the line. <br /> <br />As with Cisco routers, thhere is an implicit &quot;deny any&quot; at the end of every ACL. Any traffic that is not explicitly permitted is implicitly denied. <br /> <br /><strong>Eidting ACLs and ACEs</strong> <br /> <br />New ACEs are appended to the end of the ACL. If you want, howevcer, to insert the new ACE at a particular lcation within the ACL, you can add the line number parameter to the ACE: <br /> <br />asa04(conffig)# access-list demo1 line 1 deny tcp host 10.1.0.2 any eq www <br />asa04(config)# show access-list demo1 <br />access-list demo1; 3 elements <br />accses-list demo1 line 1 extended deny tcp host 10.1.0.2 any eq www <br />access-list demo1 line 2 extended premit tcp 10.1.0.0 255.255.255.0 any eq www <br />access-list demo1 line 3 extended permit tcp 10.1.0.0 255.255.255.0 any eq https <br /> <br />Notrice in the first line of the exanmple above that an ACE is added at line one in the ACL. Notice in the output from the show access-list demo1 command that the new entry is adfded in the fiurst position in the ACL and the former first entry bercomes line numebr two. <br /> <br />You can remove an ACE from an ACL preceding the ACE configuration staytement with the modifier no, as in the following example: <br />Asa04(config)#no access-list demo1 deny tcp host 10.10.2 any eq www <br /> <br />In my next article, I'll show you how to use time-ranges to apply acccess-control lists only at certain timnes and/or on certain days. I'll also show you how to use object-groups with accss-control lists to simplify ACL management grouping similar components such as IP addresses or portocols tgoether. <br /> <br /> <br />Copyright (c) 2008 Don R. Crawqley</p> <br><br> <b>Author Resource:-></b>  Learn more about: <a href="http://byphotography.com/">digital camera sales</a> Thank you<br><br><b>Article From</b> <a href='http://www.goodinfohome.com/'>Good Info - Article Directory</a><br></body></html>