Changing ASA access lists on the fly

firewall cisco cisco-asa access-control-list

5,547

Solution 1

Adding line x to a line after the ACL name will insert it at that point in the list.

So, if you have:

access-list outside_in extended udp deny any any
access-list outside_in extended icmp deny any any

and you run:

access-list outside_in line 2 extended tcp deny any any

your config will end up as:

access-list outside_in extended udp deny any any
access-list outside_in extended tcp deny any any
access-list outside_in extended icmp deny any any

IP is inclusive of udp, tcp, and icmp; blocking IP will block all of these. So, in your config above, only the top rule will get hit.

Solution 2

By default Cisco ASA denies everything it is not explicitly allowed. So in your case your could perfectly do a:

access-list OUTSIDE_IN permit tcp any any eq 80
access-group OUTSIDE_IN interface DMZ

and by default everything else is going to be denied. There is an implicit deny ip any any at the end of your access-list.

You would only need and explicit deny ip any any if you want to know the number of packets hitting the access list.

5,547

Nate

Updated on September 17, 2022

Comments

Nate over 1 year
I'm shortly going to be in a situation where I'll need to be updating a firewall on the fly. How does one update cisco ASA access lists on the fly? For example, if I start with:
```
access-list outside_in extended ip deny any any
access-list outside_in extended tcp deny any any
access-list outside_in extended udp deny any any
access-list outside_in extended icmp deny any any
```
(A little harsh, I know, but bear with me. Out of curiosity, is there an easier way to deny everything?)

and then
```
access-group outside_in in interface DMZ
```
then how do I later update the access-list to open, say, port 80? Short of re-writing the entire access list. I can't just add a rule, because packets will be denied by the previous rules. So, I guess what I'm asking is, how do I add a rule to the beginning of an access list?

Thanks!
ravi yarlagadda about 13 years

Correct me if I'm wrong, but I believe the default is to permit traffic to less secure networks (lower security level on the interface)?
jliendo about 13 years

@Shane. You are 100% correct. Traffic from a higher security interface to a lower security interface is allowed by default. From lower to higher it is not. It may very well be that my interpretation of the question was wrong. The way I interpreted it was that @Nate was asking how to block traffic from outside to DMZ.
ravi yarlagadda about 13 years

Fair enough - your guidance is dead on in the context of the question, I just wanted to make sure he knew there's an asterisk on that deny ip any any. +1 :)
Nate about 13 years

Thanks! And to remove a rule, is it sufficient to say "no access-list outside_in extended permit tcp any any eq 80" (for example), and have that rule be removed from wherever it shows up in the ACL?
ravi yarlagadda about 13 years

@Nate Yup, that will do it.