Cisco ASA: ACL

Design & Configure

Configuration General (17)

Design Corner (7)

DevOps (6)

Enterprise Routing (26)

Enterprise Switching (26)

Enterprise WAN (15)

LAN Security (2)

Network Security (34)

Network Services (3)

SD-WAN (6)

Technology: FIREWALLS

Area: Traffic restrictions

Vendor: CISCO

Software: CISCO ADAPTIVE SECURITY APPLIANCE (ASA), ASA-OS, 8.3+

Platform: CISCO ASA 5500, 5500-X

ACL in ASA is similar to router configuration, except for processing and mask definition (where the router uses wildcards). The adaptive security algorithm inspects only the first packet belonging to a particular session. Consecutive packets are “known” to ASA and are switched to “Fast Path” to not utilize ASA resources. ACLs are used to restrict or permit traffic when there is a need to have transmission initiated from the lower to higher security level interface. There is only one ACL on one interface in a particular direction permission.

ASA_ACL

To configure ACL to allow connection to host 172.16.1.2 use the command below:

access-list outside_in extended permit ip any host 172.16.1.2 access-group outside_in in interface outside

Note: in ASA-OS versions after 8.3 when using NAT, there is a rule to pointing the real destination address, in our case 172.16.1.2 instead of mapped IP like in older versions

Useful verification commands:

ASA2# show run access-list ASA2# show access-list

Author: Marcin Bialy