Standard ACL

One of the oldest types of ACL is the Standard ACL. Standard ACLs exists in both the Cisco routers and ASA firewalls. Unlike the Standard ACL on the Cisco IOS router, which filters traffic using the source IP address information in the packet header, the Cisco ASA filters traffic by destination address only. This is the major difference between using the Cisco router and the Cisco ASA firewall with the Standard ACL.

Creating an ACL is quite simple, however, after creation it must be applied on an interface and a direction to filter traffic, either incoming or outgoing. This may be an effective method for some scenarios. Standard ACLs, filter all traffic types (TCP, UDP, IP, and so on) by default, which means if we are trying to block only HTTP outbound traffic destined to the internet from within an organization, the Standard ACL would deny all other traffic types as well. This can be inefficient if are attempting to only restrict a specific traffic type.

Standard ACLs can be numbered or named ACLs. What does this mean? An ACL can be defined by a number. An example would be access-list 10, where ACL 10 would contain Access Control Entries (ACEs). An ACL can contain multiple ACEs, the ACEs are the rules that define what is permitted or denied.

A named ACL is simply what it says, instead of using a number, we can use a suitable name to help us understand the purpose of the ACL on the firewall. This can be convenient when troubleshooting ACLs. We can create an ACL named SSH_Access, the name used will help us understand the purpose of this particular ACL.

Standard numbered ACL ranges are 1-99 or 1300-1999. Extended numbered ACL ranges are 100-199 or 2000-2699. However, the ASA does not enforce the use of these ranges.

Unlike a Cisco router, the Standard ACL has a very limited purpose on the ASA. Some of these features include route maps and Virtual Private Network (VPN) traffic filtering.

The following format is used for creating a Standard ACL on the ASA:

access-list <access list name> standard [permit | deny] [host | any | destination hostname | destination network-ID] [subnet mask]
The Route Map can be used to identify an OSPF destination network. It can be used to control the redistribution of OSPF routes in the ASA.

Let's take a look at the following topology. It consists of four networks, 192.168.1.0/24, 192.168.2.0/24, 172.18.1.0/24, and 172.18.2.0/24:

If we want to deny all traffic going to the Sales Servers, we can create the following Standard ACL:

access-list NO_Access_to_Sales standard deny 172.18.1.0 255.255.255.0
access-list NO_Access_to_Sales standard permit 172.18.2.0 255.255.255.0

Let's verify the ACL configurations:

ASA-1(config)# show running-config access-list
access-list NO_Access_to_Sales standard deny 172.18.1.0 255.255.255.0
access-list NO_Access_to_Sales standard permit 172.18.2.0 255.255.255.0

Using the show running-config access-list command will provide us with all the ACLs on the ASA:

To view all configured ACLs on the ASA, we can use the show access-list command:

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.221.245.196