ACL

    The Cisco ASA firewall uses access-lists that are similar to the ones on IOS routers and switches. Without any access-lists, the ASA will allow traffic from a higher security level to a lower security level and all other traffic is dropped. If you have no idea what security levels on the ASA are about then read this post first.

    Access-lists are created globally and then applied with the access-group command which can be applied either inbound or outbound.

    There are a couple of things you should know about access-lists on the ASA:

    • When you create an ACL statement for outbound traffic (higher to lower security level) then the source IP address is the real address of the host or network (not the NAT translated one).
    • When you create an ACL statement for inbound traffic (lower to higher security level) then the destination IP address has to be:
    1. The translated address for any ASA version before 8.3.
    2. The real address for ASA 8.3 and newer.

    NOTE : The access-list is always checked before NAT translation.

    Adaptive security algorithm inspects only first packet belonging to particular session. Consecutive packets are “known” to ASA and are switched to “Fast Path” to not utilize ASA resources. ACLs are used to restrict or to permit traffic when there is a need to have transmission initiated from lower to higher security level interface. There is only one ACL on one interface in particular direction permission.

    To configure ACL to allow connection OUTSIDE interface:

    • Create ACL for interesting traffic coming into ASA through the OUTSIDE interface to host X.X.X.X:

    ASA#conf t

    ASA#access-list outside_in extended permit ip any host X.X.X.X

    • Create access-group to bind the ACL to OUTSIDE interface :

    ASA#conf t

    ASA#access-group outside_in in interface outside

    To configure ACL for traffic from INSIDE interface:

    • Create ACL for interesting traffic going out of ASA through the INSIDE interface to host Y.Y.Y.Y:

    ASA#conf t

    ASA#access-list inside_in extended permit ip any host Y.Y.Y.Y

    • Create access-group to bind the ACL to INSIDE interface :

    ASA#conf t

    ASA#access-group inside_in in interface outside