0

I'm shortly going to be in a situation where I'll need to be updating a firewall on the fly. How does one update cisco ASA access lists on the fly? For example, if I start with:

access-list outside_in extended ip deny any any
access-list outside_in extended tcp deny any any
access-list outside_in extended udp deny any any
access-list outside_in extended icmp deny any any

(A little harsh, I know, but bear with me. Out of curiosity, is there an easier way to deny everything?)

and then

access-group outside_in in interface DMZ

then how do I later update the access-list to open, say, port 80? Short of re-writing the entire access list. I can't just add a rule, because packets will be denied by the previous rules. So, I guess what I'm asking is, how do I add a rule to the beginning of an access list?

Thanks!

Nate
  • 151
  • 2
  • 7

2 Answers2

2

Adding line x to a line after the ACL name will insert it at that point in the list.

So, if you have:

access-list outside_in extended udp deny any any
access-list outside_in extended icmp deny any any

and you run:

access-list outside_in line 2 extended tcp deny any any

your config will end up as:

access-list outside_in extended udp deny any any
access-list outside_in extended tcp deny any any
access-list outside_in extended icmp deny any any

IP is inclusive of udp, tcp, and icmp; blocking IP will block all of these. So, in your config above, only the top rule will get hit.

Shane Madden
  • 114,520
  • 13
  • 181
  • 251
  • Thanks! And to remove a rule, is it sufficient to say "no access-list outside_in extended permit tcp any any eq 80" (for example), and have that rule be removed from wherever it shows up in the ACL? – Nate Mar 09 '11 at 16:43
  • @Nate Yup, that will do it. – Shane Madden Mar 09 '11 at 16:45
1

By default Cisco ASA denies everything it is not explicitly allowed. So in your case your could perfectly do a:

access-list OUTSIDE_IN permit tcp any any eq 80
access-group OUTSIDE_IN interface DMZ

and by default everything else is going to be denied. There is an implicit deny ip any any at the end of your access-list.

You would only need and explicit deny ip any any if you want to know the number of packets hitting the access list.

jliendo
  • 1,578
  • 11
  • 13
  • Correct me if I'm wrong, but I believe the default is to permit traffic to less secure networks (lower security level on the interface)? – Shane Madden Mar 09 '11 at 01:57
  • @Shane. You are 100% correct. Traffic from a higher security interface to a lower security interface is allowed by default. From lower to higher it is not. It may very well be that my interpretation of the question was wrong. The way I interpreted it was that @Nate was asking how to block traffic from outside to DMZ. – jliendo Mar 09 '11 at 02:02
  • Fair enough - your guidance is dead on in the context of the question, I just wanted to make sure he knew there's an asterisk on that `deny ip any any`. +1 :) – Shane Madden Mar 09 '11 at 02:07