As any network administrator will tell you, the ASA Security appliance (as well as its forerunner, the PIX) are capable of generating massive amounts of log messages, especially when the firewall/security appliance is set to log messages at debug level to the syslog server.  This post will focus on one such source of a high […]

Now that the official announcement of ASA Software Release 8.3 is several weeks old, this post will serve to comment on the enhancements/improvements/requirements of this code. Future posts will comment on exploring the details of specific modifications and improvements of this package as compared to earlier security appliance software. The first very notable concern for a […]

As you may recall, we can use extended IP ACLs to filter packets based on source address, destination address, transport layer protocols, and other options, as follows: access-list 106 permit tcp host 1.2.3.4 host 5.6.7.8 eq telnet For a packet to be permitted by ACL 106, the following must be true: The transport layer protocol is TCP […]

Having discussed general ACL rules and syntax, let’s now turn to the differences between standard and extended ACLs. As you might recall, numbered ACLs fall into several ranges: 1  –  99: Standard IP 100  –  199: Extended IP 1300  —  1999: Standard IP (expanded range) 2000  —  2699: Extended IP (expanded range) Other ranges for other protocols Originally, the ranges for standard and […]

Welcome back! This time we’ll look at additional tips and tricks when using standard IP ACLs. Let’s suppose that we’re given ACL 10 (the lines have been labeled “A” through “E” to facilitate the upcoming discussion): A. access-list 10 permit 10.1.2.3 B. access-list 10 deny 10.1.2.0 0.0.0.255 C. access-list 10 permit 10.1.0.0 0.0.255.255 D. access-list […]

Now that we know the basics of standard IP access lists from previous posts, let’s learn some more about them. As our first example, we’ll write an ACL 6 that permits packets sourced by the host with IP address 192.168.100.123, thus: Router(config)#access-list 6 permit 192.168.100.123 We could also do this using a wildcard mask: Router(config)#access-list 6 […]

In ACLs  —  Part 1 we learned the basics of access lists, including the facts that ACLs: Are created in global config mode End with an implicit “deny any” (which can be overridden) Must be placed into service somewhere to have any effect Thus, the commands: Router#conf t Router(config)#access-list 3 deny 172.16.1.1 Router(config)#access-list 3 deny 172.16.1.2 Router(config)#access-list 3 […]

Welcome back! This time, we’ll take a look at access control lists, often referred to as “access lists” or “ACLs” (sometimes pronounced “ackels”). In Cisco IOS, ACLs are used for many things, including but not limited to: Filtering data packets (“firewalling”) Controlling Telnet or SSH access to a router or switch Filtering routing protocols Specifying […]