Monday, October 31, 2011

Adding Entries to an Existing ACL on an ASA

Adding Entries (ACEs) to an Existing ACL
You can add entries to ACLs on ASAs by using the line number command. Line numbers on ASAs work differently than on routers. They are not stored in the configs and they will not show up in a show access-list command (basically the ASA doesn't keep the numbers, they are just used for inserting). To do this, just count the line numbers and tell the ASA where you want the new one to go. The existing line of that number will move down (e.g. if you insert at line 3, the old line 3 will become line 4 because you have just added a line above it).  

! Test ACL
access-list TEST_ACL extended permit ip 10.1.1.1 255.255.255.255 any
access-list TEST_ACL extended permit ip 10.1.1.2 255.255.255.255 any
access-list TEST_ACL extended permit ip 10.1.1.3 255.255.255.255 any

! Implicit Deny

! Deny access from 10.1.1.1 to evil DNS servers 4.2.2.2 and 8.8.8.8. We need this to be above the permit any from 10.1.1.1 so the denies will take effect.
! We can use line numbers to do this
access-list TEST_ACL line 1 extended deny ip 10.1.1.1 255.255.255.255 4.2.2.2
access-list TEST_ACL line 2 extended deny ip 10.1.1.1 255.255.255.255 8.8.8.8
!
!NEW ACL
access-list TEST_ACL extended deny ip 10.1.1.1 255.255.255.255 4.2.2.2
access-list TEST_ACL extended deny ip 10.1.1.1 255.255.255.255 8.8.8.8
access-list TEST_ACL extended permit ip 10.1.1.1 255.255.255.255 any
access-list TEST_ACL extended permit ip 10.1.1.2 255.255.255.255 any
access-list TEST_ACL extended permit ip 10.1.1.3 255.255.255.255 any

! Ooops, we forgot to deny access from 10.1.1.2 to these same evil DNS servers
access-list TEST_ACL line 1 extended deny ip 10.1.1.2 255.255.255.255 4.2.2.2
access-list TEST_ACL line 2 extended deny ip 10.1.1.2 255.255.255.255 8.8.8.8
!

!New New ACL
!NEW ACL
access-list TEST_ACL extended deny ip 10.1.1.2 255.255.255.255 4.2.2.2
access-list TEST_ACL extended deny ip 10.1.1.2 255.255.255.255 8.8.8.8
access-list TEST_ACL extended deny ip 10.1.1.1 255.255.255.255 4.2.2.2
access-list TEST_ACL extended deny ip 10.1.1.1 255.255.255.255 8.8.8.8
access-list TEST_ACL extended permit ip 10.1.1.1 255.255.255.255 any
access-list TEST_ACL extended permit ip 10.1.1.2 255.255.255.255 any
access-list TEST_ACL extended permit ip 10.1.1.3 255.255.255.255 any


  Adding an Extended Access List

An access list is made up of one or more access control entries (ACEs) with the same access list ID. To create an access list you start by creating an ACE and applying a list name. An access list with one entry is still considered a list, although you can add multiple entries to the list.
To add an extended access list or an ACE, enter the following command:
Command
Purpose
access-list access_list_name [line 
line_number] [extended] {deny permit} 
protocol source_address mask 
[operator port] dest_address mask 
[operator port | icmp_type] [inactive]

Example:

hostname(config)# access-list ACL_IN 
extended permit ip any any
Adds an extended access control entry.
The line line_number options specify the line number at which insert the ACE. If you do not specify a line number, the ACE is added to the end of the access list. The line number is not saved in the configuration; it only specifies where to insert the ACE.
The extended option adds an ACE.
The deny keyword denies a packet if the conditions are matched. Some features do not allow deny ACEs, such as NAT. See the command documentation for each feature that uses an access list for more information.
The permit keyword permits a packet if the conditions are matched.
The protocol argument specifies the IP protocol name or number. For example UDP is 17, TCP is 6, and EGP is 47.
The source_address specifies the IP address of the network or host from which the packet is being sent. Enter the host keyword before the IP address to specify a single address. In this case, do not enter a mask. Enter the any keyword instead of the address and mask to specify any address.
The operator port option matches the port numbers used by the source or destination. The permitted operators are as follows:
lt—less than.
gt—greater than.
dq—equal to.
neq—not equal to.
range—an inclusive range of values. When you use this operator, specify two port numbers, for example: range 100 200.
The dest_address argument specifies the IP address of the network or host to which the packet is being sent. Enter the host keyword before the IP address to specify a single address. In this case, do not enter a mask. Enter the any keyword instead of the address and mask to specify any address.
The icmp_type argument specifies the ICMP type if the protocol is ICMP.
The inactive keyword disables an ACE. To reenable it, enter the entire ACE without the inactive keyword. This feature enables you to keep a record of an inactive ACE in your configuration to make reenabling easier.
(See the access-list extended command in the Cisco Security Appliance Command Reference for more information about command options.)
Posted by at
Labels: , ,

1 comment:

boy format said...

Thanks! on the wonderful post

April 5, 2016 at 3:12 AM

Post a Comment

Subscribe to: Post Comments (Atom)