Getting Started Guide vA5(1.0), Cisco ACE 4700 Series Application Control Engine Appliance
Configuring Access Control Lists
Downloads: This chapterpdf (PDF - 105.0KB) The complete bookPDF (PDF - 2.98MB) | Feedback

Configuring Access Control Lists

Table Of Contents

Configuring Access Control Lists

Information About ACLs

Guidelines and Restrictions

Configuring an ACL

Configuring an ACL Using the Device Manager GUI

Configuring an ACL Using the CLI

Configuration Example for Configuring an ACL

Where to Go Next


Configuring Access Control Lists


This chapter describes how to configure access control lists (ACLs) for the Cisco 4700 Series Application Control Engine (ACE) appliance. This chapter contains the following sections:

Information About ACLs

Guidelines and Restrictions

Configuring an ACL

Configuration Example for Configuring an ACL

Where to Go Next

Information About ACLs

After reading this chapter, you should have a basic understanding of how to configure an access control list in an ACE to secure your network.

You can use ACLs with the ACE appliance to permit or deny traffic to or from a specific IP address or an entire network. For example, you can permit all e-mail traffic on a circuit, but block Telnet traffic. You can also use ACLs to allow one client to access a part of the network while preventing other clients from doing so.

You must configure an ACL on each interface that you want to permit connections. Otherwise, the ACE will deny all traffic on the interface. An ACL consists of a series of ACL entries, which are permit-or-deny entries with criteria for the source IP address, destination IP address, protocol, port, or protocol-specific parameters. Each entry permits or denies inbound or outbound network traffic to the parts of your network specified in the entry.

The order of the ACL entries is important. When the ACE decides whether to accept or refuse a connection, it tests the packet against each ACL entry in the order in which the entries are listed. After it finds a match, it stops checking entries.

For example, if you create an entry at the beginning of an ACL that explicitly permits all traffic, the ACE skips any other entries in the ACL. An implicit deny all entry exists at the end of every ACL, so you must include entries for every interface on which you want to permit connections. Otherwise, the ACE appliance will deny all traffic on the interface.

Certain applications require special handling of the data portion of a packet as the packets pass through the ACE. The ACE verifies the protocol behavior and identifies unwanted or malicious traffic that attempts to pass through. Based on the specifications of the traffic policy, the ACE performs application protocol inspection to accept or reject the packet to ensure the secure use of applications and services.

For more information on how to configure an ACL to permit or deny specific traffic or resources, see the Security Guide, Cisco ACE Application Control Engine.

Guidelines and Restrictions

You must configure an ACL on each interface that you want to permit connections. Otherwise, the ACE will deny all traffic on the interface.

Configuring an ACL

To configure an ACL, you can use either the ACE Device Manager user interface (GUI) or the CLI.

Configuring an ACL Using the Device Manager GUI

Configuring an ACL Using the CLI

Configuring an ACL Using the Device Manager GUI

Configure an ACL using the ACE Device Manager GUI by following these steps:


Step 1 Choose VC_web in the virtual contexts drop-down list.

Step 2 Choose Config > Virtual Contexts > Security > ACLs. The ACLs table appears, listing the existing ACLs.

Step 3 Click Add (+) to create an ACL. The New Access List configuration screen appears.

Step 4 Enter the following ACL properties. Leave the remaining properties blank or with the default values.

Name: ACL_permit_all

Type: Extended

Extended—Control network access for IP traffic

EtherType—Control network access for non-IP traffic

Step 5 Create an ACL entry with the following attributes. Leave the remaining attributes blank or with the default values.

Line Number: 1


Note For easier insertion of additional ACL entries later, you can enter non-sequential line numbers such as 10, 20, and so on.


Action: Permit

Protocol/Service Object Group: Protocol, IP (Any)

Source Network: Any

Destination Network: Any

Step 6 Click Add To Table to add one or more ACL entries to the table.

Step 7 Click Deploy to deploy this ACL configuration on the virtual context.

Step 8 Choose Network > VLAN Interfaces. The VLAN Interfaces pane appears.

Step 9 Choose the Access Group tab.

Step 10 Click Add (+) in the Access Group pane. The New Access Group pane appears.

Step 11 Ensure the ACL entry is selected in the ACL Name drop-down list, then click Deploy Now to accept the defaults and add an ACL to the interface. The ACL is added in the Access Group pane.


Configuring an ACL Using the CLI

You can configure an ACL using the command-line interface (CLI) by following these steps:


Step 1 Check the CLI prompt to verify that you are operating in the desired context; change to the correct context if necessary.

host1/Admin# changeto VC_web
host1/VC_web#
 
   

Step 2 Enter configuration mode.

host1/VC_web# config
host1/VC_web(config)# 
 
   

Step 3 Create an ACL.

host1/VC_web(config)# access-list INBOUND extended permit ip any any
 
   

Step 4 Apply the ACL to an interface.

host1/VC_web(config)# interface vlan 400
host1/VC_web(config-if)# access-group input INBOUND
host1/VC_web(config-if)# exit
 
   

Step 5 Display the ACL configuration information.

host1/VC_web(config)# exit
host1/VC_web# show running-config access-list
 
   

Configuration Example for Configuring an ACL

The following example shows the running configuration of the VC_web user context with the commands that you have configured in this chapter in bold text.

switch/VC_web(config)# do show running config
Generating configuration....
 
   
access-list INBOUND line 8 extended permit ip any any
 
   
class-map type management match-any REMOTE_ACCESS
  description Remote access traffic match
  2 match protocol ssh any
  3 match protocol telnet any
  4 match protocol icmp any
 
   
policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
  class REMOTE_ACCESS
    permit
 
   
service-policy input REMOTE_MGMT_ALLOW_POLICY
 
   
interface vlan 400
  description Client connectivity on VLAN 400
  ip address 10.10.40.1 255.255.255.0
  access-group input INBOUND
  no shutdown
interface vlan 500
  description Server connectivity on VLAN 500
  ip address 10.10.50.1 255.255.255.0
no shutdown
 
   
ip route 0.0.0.0 0.0.0.0 172.25.91.1

Where to Go Next

In this chapter, you have created an ACL entry to permit all traffic to the network. Next, you will create a user who is allowed to perform a subset of the ACE management functions on part of your network resources.