Changing an ACL on a Cisco Firewall
Although changing an ACL on a Firewall is almost exactly like a router, there are a couple nuances that people should know. Here are some tips and best practice material.
1. When you remove an access-list, it is automatically removed from the interface. *This is a nice change from routers where you have the potential to lock yourself out.
2. Firewalls don’t use wildcard masks!!!
3. Only one access-list, in one direction, is allowed on an interface.
4. Access-list are re-applied to an interface with the following syntax:
access-group [access-list name] [in / out] interface [interface name]
i.e. access-group outgoing out interface outside
5. It’s a best practice to remove the entire access-list and alter it in notepad, then re-apply it to the interface.
6. As with all access-lists, the PIX reads it from top to bottom, so pay attention to the order you place your statements.
7. As with all access-lists, there is an implicit deny all statement at the end of all access-lists.
8. The syntax for a normal access-list statement is;
access-list [access-list name / number] [permit / deny] [tcp / udp/ icmp(ect)] [source] [destination] eq [port]
i.e. #access-list 12 permit 192.168.1.10 255.255.255.255 any
#access-list 101 permit tcp any host 192.168.1.24 eq telnet
# access-list blocker deny icmp any any
# access-list acl_out permit tcp any host 192.168.1.50 eq 80
Follow the reactions below and share your own thoughts.