Warning: Invalid argument supplied for foreach() in /home/techrecipes/public_html/wp-content/themes/techrecipes/header.php on line 77

Changing an ACL on a Cisco Firewall

Although changing an ACL on a Firewall is almost exactly like a router, there are a couple nuances that people should know. Here are some tips and best practice material.


1. When you remove an access-list, it is automatically removed from the interface. *This is a nice change from routers where you have the potential to lock yourself out.

2. Firewalls don’t use wildcard masks!!!

3. Only one access-list, in one direction, is allowed on an interface.

4. Access-list are re-applied to an interface with the following syntax:

access-group [access-list name] [in / out] interface [interface name]
i.e. access-group outgoing out interface outside

5. It’s a best practice to remove the entire access-list and alter it in notepad, then re-apply it to the interface.

6. As with all access-lists, the PIX reads it from top to bottom, so pay attention to the order you place your statements.

7. As with all access-lists, there is an implicit deny all statement at the end of all access-lists.

8. The syntax for a normal access-list statement is;
access-list [access-list name / number] [permit / deny] [tcp / udp/ icmp(ect)] [source] [destination] eq [port]
i.e. #access-list 12 permit 192.168.1.10 255.255.255.255 any
#access-list 101 permit tcp any host 192.168.1.24 eq telnet
# access-list blocker deny icmp any any
# access-list acl_out permit tcp any host 192.168.1.50 eq 80

The Conversation

Follow the reactions below and share your own thoughts.