Friday, January 5, 2007

Pix/ASA: Inserting Access-list Entries

My boss didn't know that on the Pix you can insert an access-list in between previous entries. He have always relied on the ASDM to do that.
As showed to him, you can do it via CLI and this has always been possible on the pix since version 6.3.
The first step is to do a show access-lists.

PIX# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096) alert-interval 300
access-list ACLIN; 3 elements
access-list ACLIN line 1 extended permit tcp any host 172.31.0.10 eq www (hitcnt=0)
access-list ACLIN line 2 extended permit tcp any host 172.31.0.10 eq ftp (hitcnt=0)
access-list ACLIN line 3 extended permit icmp any host 172.31.0.10 (hitcnt=0)

As you can see, it will show you the sequence number of each access-list entries. You can then use this numbers to insert your new access-list anywhere. Creating a new 'access-list ACLIN line 1' will push the existing first entry down.

PIX# conf t
PIX(config)# access-list ACLIN line 1 extended deny tcp 10.0.0.0 255.0.0.0 host 172.31.0.10 eq www
PIX(config)# access-list ACLIN line 2 extended deny tcp 172.16.0.0 255.255.0.0 host 172.31.0.10 eq www
PIX(config)# access-list ACLIN line 3 extended deny tcp 192.168.0.0 255.255.0.0 host 172.31.0.10 eq www
PIX(config)# ! Without specifying the line number, the PixOS will
PIX(config)# ! place the entry at the end of the access-list
PIX(config)# access-list ACLIN extended deny ip any any log
PIX(config)# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096) alert-interval 300
access-list ACLIN; 7 elements
access-list ACLIN line 1 extended deny tcp 10.0.0.0 255.0.0.0 host 172.31.0.10 eq www (hitcnt=0)
access-list ACLIN line 2 extended deny tcp 172.16.0.0 255.255.0.0 host 172.31.0.10 eq www (hitcnt=0)
access-list ACLIN line 3 extended deny tcp 192.168.0.0 255.255.0.0 host 172.31.0.10 eq www (hitcnt=0)
access-list ACLIN line 4 extended permit tcp any host 172.31.0.10 eq www (hitcnt=0)
access-list ACLIN line 5 extended permit tcp any host 172.31.0.10 eq ftp (hitcnt=0)
access-list ACLIN line 6 extended permit icmp any host 172.31.0.10 (hitcnt=0)
access-list ACLIN line 7 extended deny ip any any log informational interval 300 (hitcnt=0)

Access-lists on the IOS also have sequence numbering so you can do the same thing on routers.
Posted by at
Labels: , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)