How to configure ACLs on the Cisco ASA

August 1, 2009 by · Leave a Comment 

The access control list (ACL) methodology on the Cisco ASA is interface-based. Therefore, each interface must have a specified security level (0-100), with 100 being most secure and 0 being least secure. Once configurations are in place, traffic from a more secure interface is allowed to access less secure interfaces by default. Conversely, less secure interfaces are blocked from accessing more secure interfaces.

Some common commands used to configure Cisco ASA interfaces include:
nameif – used to name the interface
security-level – used to configure the interface’s security level
access-list – used to permit or deny traffic
access-group – applies an ACL to an interface

We can configure an access list to permit or deny traffic, based on a specific port or protocol. With deny-by-default, everything is automatically blocked and must be explicitly allowed.

Let’s say we want to configure an ACL on an ASA to permit all FTP traffic from any host to To do this, we must input the following ACL:

ASA(config)# access-list OUTBOUND permit tcp any host eq ftp

As you can see, we specified TCP, or transmission control the protocol, from any host to only the IP address we want to permit. In addition, we specified only port 21 using eq (equal) and ftp. This is because FTP traffic is sent via port 21.

To view the hit count on our access lists, simply type the command: show access-list OUTBOUND.

To remove the access list, simply type the command: clear access-list OUTBOUND

I hope I haven’t lost you….

A few things to keep in mind…you can only apply one access list per interface, per protocol, per direction. That is, make sure you create two ACL groups, one for outbound and the other for inbound traffic on each interface.

If you’re uncomfortable typing the various syntaxes and are a more visual person, the ASA ASDM is your friend. ASDM stands for Adaptive Security Device Manager. This tool provides a easy to use GUI (graphical user interface) with point and click capabilities. A screenshot of the ASDM is provided below:


Source: Experts-Exchange

If you’re looking to become certified on the CISCO ASA, the new exam covers quite a bit of ASDM material. While many of the previous exams covered nearly all CLI (command line interface) material, the newer versions (Securing Networks with ASA Foundation and Securing Networks with ASA Advanced) focus much more on the ASDM.

For more information on becoming a CISCO ASA Specialist, see their website here.


Warning: Unknown: open(/home/content/30/5076530/tmp/sess_g3t0psijkp013nn8p9q4jfmkr5, O_RDWR) failed: No such file or directory (2) in Unknown on line 0

Warning: Unknown: Failed to write session data (files). Please verify that the current setting of session.save_path is correct () in Unknown on line 0