Changing an ACL on a Cisco Firewall

Posted February 6, 2006 by aaronm in Cisco firewall

Although changing an ACL on a Firewall is almost exactly like a router, there are a couple nuances that people should know. Here are some tips and best practice material.

1. When you remove an access-list, it is automatically removed from the interface. *This is a nice change from routers where you have the potential to lock yourself out.

2. Firewalls don’t use wildcard masks!!!

3. Only one access-list, in one direction, is allowed on an interface.

4. Access-list are re-applied to an interface with the following syntax:

access-group [access-list name] [in / out] interface [interface name]
i.e. access-group outgoing out interface outside

5. It’s a best practice to remove the entire access-list and alter it in notepad, then re-apply it to the interface.

6. As with all access-lists, the PIX reads it from top to bottom, so pay attention to the order you place your statements.

7. As with all access-lists, there is an implicit deny all statement at the end of all access-lists.

8. The syntax for a normal access-list statement is;
access-list [access-list name / number] [permit / deny] [tcp / udp/ icmp(ect)] [source] [destination] eq [port]
i.e. #access-list 12 permit any
#access-list 101 permit tcp any host eq telnet
# access-list blocker deny icmp any any
# access-list acl_out permit tcp any host eq 80

The Conversation

Follow the reactions below and share your own thoughts.