Adding incoming and outgoing access rules on a Cisco ASA

I’ve just starred a new item in Google Reader

To understand incoming and outgoing rules there are a couple of things to know before you can define your rules. Let’s start with an understanding of traffic flow on an ASA. All incoming rules are meant to define traffic that come inbound to the ASA’s interface. Outgoing is for all traffic that is going outbound of an ASA’s interface. It does not matter which interface it is since this is a matter data flow and each active interface on an ASA will have it’s own unique address.

To try an explain this further let’s say we have and internal interface with an IP address of that is for your local area network to connect to. You can add a permit or deny rule to this interface specifying whether incoming or outgoing  traffic will be permitted or not. This allows you to control what computers can communicate past that interface or not. Essentially you would define most of your rules for the local area network on the internal interface, governing which systems/devices could access the internet, certain protocols, or not.

Now if you know about the basic configuration of an ASA you know that you have to set the security level of the Internal and External ports. So by default these devices allow traffic from a higher security interface to a lower security interface. NAT/PAT will need to be configured depending on if you want to define port traffic for specified protocols.

For this article I will just mention that their are several types of Access Control Lists (ACL) that you can create on an ASA. These types are Standard, Extended, Ethertype, webtype, and IPV6. For this example we will use Extended because most likely that is what most everyone will use the most. With extended ACL not only can you specify IP addresses in the access control list, but you can specify port traffic to match the protocol that might be required.

Lets look at the the examples below:

You will see we are in the configuration terminal mode

ASA(config)# access-list acl extended permit tcp any host eq 80

-So the first part “access-list acl” means the access list will be named “acl”.
-Next you have a choice between type of access list. We are using Extended for this example.
-The next portion is the permit or deny option and we have permit selected for this statement.
-On the next selection that say’s “any” this refers to inside traffic (simply meaning that any internal traffic is allowed). If you dont use any you can specify specific devices by using “host and the IP address like that last part of this ACL statement.
-The next part of this refers to specifying a specific host address of equals port 80.

So this example tells us that our access control list named ACL will allow any inside traffic out the host address of that is internet traffic.

Later you will notice that your statment will look like this on the ASA

ASA(config)access-list acl extended permit tcp any host www
Notice how “eq 80? default http traffic changed automatically to www) This is common on Cisco ASA devices).

from 318 Tech Journal

This article was posted by Kai Howells. If you liked this content and have any technical work in the Melbourne area, say hello via my contact form or give me a call on 0419 361 653 - I cover most of the greater Melbourne area and my rates are competitive.

One Response to Adding incoming and outgoing access rules on a Cisco ASA

  1. Hi,

    I don’t quite understand the difference between inbound and outbound in the ASA log entries:

    %ASA-6-302013: Built $direction TCP connection for IF:ip-address/port to IF:ipaddress/port.

    In my understanding depending on the direction (inbound or outbound) ” for IF:…” can mean both src or dst.
    Is that true?

    So “for …” and “to …” don’t allways mean the same?
    Also in other entries?

    What about “%ASA-6-302015: Built $direction UDP …”?
    %ASA-6-302020: Built outbound ICMP connection for faddr?

    (faddr – gaddr?)

    In my understanding “to …” suggests destination.

    Can you please explain me this?



Leave a Reply

Your email address will not be published. Required fields are marked *