Access Control Lists (ACLs) are a fundamental aspect of Cisco ASA security policies. They are used to control the flow of traffic through the firewall based on specified conditions. In this section, we'll cover the introduction to ACLs, removing ACLs, using object-group access-lists, and implementing time-based access-lists.
ACLs on Cisco ASA are used to permit or deny traffic based on various criteria, including source and destination IP addresses, protocols, and ports. Here's a basic example of creating an access-list:
# Enter global configuration mode
configure terminal
# Create an access-list to permit traffic from 192.168.1.0/24 to any
access-list acl_inside permit ip 192.168.1.0 255.255.255.0 anyIn this example, acl_inside is the name of the access-list, and it permits traffic from the source network 192.168.1.0/24 to any destination.
To remove an existing ACL, you can use the no form of the access-list command. For example:
# Enter global configuration mode
configure terminal
# Remove an access-list named acl_inside
no access-list acl_insideThis command removes the entire access-list named acl_inside.
Object groups provide a way to simplify ACL configurations by grouping similar objects together. Here's an example:
# Enter global configuration mode
configure terminal
# Create an object group for web services
object-group service web-services
service-object tcp eq www
service-object tcp eq 443In this example, an object group named web-services is created, including TCP services for HTTP (port 80) and HTTPS (port 443). Now, you can use this object group in an access-list:
# Use the object group in an access-list
access-list acl_outside permit object-group web-services anyThis access-list permits traffic from any source to any destination using the specified web services.
Time-based ACLs allow you to control when specific rules are active. Here's an example of a time-based ACL:
# Enter global configuration mode
configure terminal
# Create a time range named "work-hours" from 9 AM to 5 PM on weekdays
time-range work-hours
periodic weekdays 9:00 to 17:00Now, you can use the time range in an access-list:
# Use the time range in an access-list
access-list acl_inside permit ip any any time-range work-hoursThis access-list permits traffic from any source to any destination, but only during the specified time range (weekdays from 9 AM to 5 PM).
These examples cover the introduction to Cisco ASA access-lists, removing access-lists, using object-group access-lists, and implementing time-based access-lists. Customize these configurations based on your specific network requirements and security policies.
Security Levels in Cisco ASA determine the trustworthiness of different networks connected to the firewall. By default, traffic is allowed from higher-security interfaces to lower-security interfaces, but it's denied in the reverse direction. Same Security Level Traffic refers to traffic between interfaces with equal security levels. In this section, we'll explain Security Levels and demonstrate how to permit Same Security Level Traffic.
The Cisco ASA Firewall utilizes "security levels" to define the trustworthiness of interfaces in comparison to one another. A higher security level indicates a higher level of trust for the associated interface. Each interface on the ASA is considered a security zone, and by assigning security levels, different trust levels are established for these security zones.
An interface with a higher security level can access an interface with a lower security level by default. However, traffic in the reverse direction is not allowed unless configured through an access-list.
-
Security Level 0:
- Default assignment: "outside" interface.
- Lowest security level.
- Traffic from the outside interface cannot reach any other interfaces unless explicitly permitted within an access-list.
-
Security Level 100:
- Default assignment: "inside" interface.
- Highest security level.
- The inside interface, by default, can reach all other interfaces.
-
Security Levels 1 – 99:
- Customizable security levels.
- Example: Security level 50 for a DMZ.
- Traffic allowed from inside network to DMZ (security level 100 -> 50).
- Traffic allowed from DMZ to the outside (security level 50 -> 0).
- Traffic from the DMZ to the inside is not allowed by default (security level 50 cannot reach security level 100) unless configured through an access-list.
You can create as many security levels as needed for your network design and security requirements.
To allow traffic between interfaces with the same security level, you need to use the same-security-traffic command. Let's go through the configuration steps:
Assign security levels to your interfaces in global configuration mode. For example:
# Enter global configuration mode
configure terminal
# Set security level for the inside interface to 50
interface GigabitEthernet0/1
security-level 50Repeat this for each interface that you want to configure.
Allow Same Security Level Traffic in global configuration mode:
# Permit traffic between interfaces with the same security level
same-security-traffic permit inter-interfaceThis command allows traffic to flow between interfaces with the same security level.
Assuming you have two interfaces, inside and outside, both with a security level of 50:
# Assign security levels to interfaces
interface GigabitEthernet0/1
security-level 50
interface GigabitEthernet0/2
security-level 50
# Permit Same Security Level Traffic
same-security-traffic permit inter-interfaceNow, traffic is permitted between the inside and outside interfaces.
Verify your configuration using the following command:
# Display information about all interfaces, including security levels
show interfaceCheck the security levels of your interfaces and ensure that Same Security Level Traffic is permitted.
Save your configuration to ensure it persists across reboots:
# Save the configuration
write memoryYou have successfully configured Same Security Level Traffic on Cisco ASA. This allows traffic to flow between interfaces with equal security levels. Ensure that this configuration aligns with your security policies and requirements.
Customize these commands based on your specific interface names and security level preferences.