-
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide, 2.2
-
About This Guide
-
Quick Start Steps
-
Introduction to the Firewall Services Module
-
Configuring the Switch for the Firewall Services Module
-
Connecting to the Firewall Services Module and Managing the Configuration
-
Configuring the Firewall Mode
-
Managing Security Contexts
-
Configuring Basic Settings
-
Configuring Bridging Parameters and ARP Inspection
-
Configuring IP Addresses, Routing, and DHCP
-
Configuring Network Address Translation
-
Controlling Network Access with Access Control Lists
-
Allowing Remote Management
-
Configuring AAA
-
Configuring Application and Protocol Inspection
-
Filtering HTTP, HTTPS, or FTP Requests Using an External Server
-
Using Failover
-
Managing Software and Configuration Files
-
Monitoring and Troubleshooting the Firewall Services Module
-
Specifications
-
Sample Configurations
-
Understanding the Command-Line Interface
-
Addresses, Protocols, and Ports Reference
-
Acronyms and Abbreviations
-
Index
-
Table Of Contents
Controlling Network Access with Access Control Lists
Access Control List Types and Uses
Access Control List Type Overview
Controlling Network Access for IP Traffic (Extended)
Identifying Traffic for AAA rules (Extended)
Controlling Network Access for IP Traffic for a Given User (Extended)
Identifying Addresses for Policy NAT and NAT Exemption (Extended)
VPN Management Access (Extended)
Controlling Network Access for Non-IP Traffic (EtherType)
Redistributing OSPF Routes (Standard)
Access Control List Guidelines
Access Control List Implicit Deny
IP Addresses Used for Access Control Lists When You Use NAT
Inbound and Outbound Access Control Lists
Adding an Extended Access Control List
Adding an EtherType Access Control List
Adding a Standard Access Control List
Simplifying Access Control Lists with Object Grouping
Adding a Protocol Object Group
Adding an ICMP Type Object Group
Using Object Groups with an Access Control List
Manually Committing Access Control Lists and Rules
Adding Remarks to Access Control Lists
Logging Extended Access Control List Activity
Access Control List Logging Overview
Configuring Logging for an Access Control Entry
Controlling Network Access with Access Control Lists
This chapter tells how to control network access through the Firewall Services Module (FWSM) using access control lists (ACLs). You can also use ACLs for other purposes, for example, to identify addresses for NAT, AAA, or OSPF route redistribution. This chapter describes how to create ACLs for these purposes as well as for network access, but this chapter only describes how to apply the ACLs for network access. Refer to the NAT, AAA, or IP chapters for information about applying ACLs for these other purposes.
Note
You use ACLs to control network access in both routed and transparent firewall modes. In transparent mode, you can use both extended ACLs (for Layer 3 traffic) and EtherType ACLs (for Layer 2 traffic).
This chapter contains the following sections:
•
•
•
•
•
•
•
Access Control List Overview
ACLs are made up of one or more Access Control Entries (ACEs). An ACE is a single entry in an ACL that specifies a permit or deny rule, and is applied to a protocol, a source and destination IP address or network, and optionally the source and destination ports.
This section includes the following topics:
•
•
Access Control List Types and Uses
This section includes the following topics:
•
•
•
•
•
•
•
•
Access Control List Type Overview
Table 10-1 lists the types of ACLs you can create and how you can use them.
Table 10-1 Access Control List Types and Uses
Control network access for IP traffic
Extended
See the "Controlling Network Access for IP Traffic (Extended)" section.
Identify traffic for AAA rules
Extended
See the "Identifying Traffic for AAA rules (Extended)" section.
Control network access for IP traffic for a given user
Extended, downloaded from a AAA server per user
See the "Controlling Network Access for IP Traffic for a Given User (Extended)" section.
Identify addresses for NAT (policy NAT and NAT exemption)
Extended
See the "Identifying Addresses for Policy NAT and NAT Exemption (Extended)" section.
Establish VPN management access
Extended
For transparent firewall mode, control network access for non-IP traffic
EtherType
See the "Controlling Network Access for Non-IP Traffic (EtherType)" section.
Identify OSPF route redistribution
Standard
Controlling Network Access for IP Traffic (Extended)
Extended ACLs control connections based on source address, destination address, protocol, or port. The FWSM does not allow any traffic through unless it is explicitly permitted by an extended ACL. This rule is true for both routed firewall mode and transparent firewall mode.
For TCP and UDP connections, you do not need an ACL to allow returning traffic, because the FWSM allows all returning traffic for established connections. See the "Stateful Inspection Feature" section for more information. For connectionless protocols such as ICMP, however, you either need ACLs to allow ICMP in both directions (by applying ACLs to the source and destination interfaces), or you need to enable the ICMP inspection engine (see the "ICMP Inspection Engine" section). The ICMP inspection engine treats ICMP sessions as stateful connections.
You can apply one ACL of each type to each direction of an interface. You can also apply the same ACLs on multiple interfaces.
To control network access for IP traffic, perform the following task:
•
Allowing Special Traffic through the Transparent Firewall
In routed firewall mode, some types of traffic are blocked even if you allow them in an ACL, including unsupported dynamic routing protocols, DHCP (unless you configure DHCP relay), and multicast traffic. Transparent firewall mode can allow any IP traffic through. Because these special types of traffic are connectionless, you need to apply an ACL to both interfaces, so returning traffic is allowed through.
Table 10-2 lists common traffic types that you can allow through the transparent firewall. See "Addresses, Protocols, and Ports Reference," for more protocols and ports.
Table 10-2 Transparent Firewall Special Traffic
BGP1
TCP port 179
—
DHCP2
UDP ports 67 and 68
If you enable the DHCP server, then the FWSM does not pass DHCP packets.
EIGRP3
Protocol 88
—
Multicast streams
The UDP ports vary depending on the application.
Multicast streams are always destined to a Class D address (224.0.0.0 to 239.x.x.x).
OSPF
Protocol 89
—
RIP (v1 or v2)
UDP port 520
—
1 Border Gateway Protocol
2 Dynamic Host Configuration Protocol
3 Enhanced Interior Gateway Routing Protocol
Identifying Traffic for AAA rules (Extended)
ACLs can be used with AAA in several ways.
•
a.
Permit entries in the ACL mark matching traffic for authorization, while deny entries exclude matching traffic from authorization.
b.
•
a.
Permit entries in the ACL mark matching traffic for authentication, while deny entries exclude matching traffic from authentication.
b.
•
a.
Permit entries in the ACL mark matching traffic for accounting, while deny entries exclude matching traffic from accounting.
b.
Controlling Network Access for IP Traffic for a Given User (Extended)
When you configure user authentication for network access, you can also choose to configure user authorization that determines the specific access privileges for each user. If you use a RADIUS server, you can configure the RADIUS server to download a dynamic ACL to be applied to the user, or the server can send the name of an ACL that you already configured on the FWSM. See the following tasks for each method.
•
a.
b.
•
a.
This extended ACL is not assigned to an interface, but is designed to be applied to one or more users.
b.
These per-user ACLs must be as restrictive or more restrictive than an extended ACL that is assigned to the interface. For example, if the ACL assigned to the inside interface allows all users to have only HTTP access to other networks, it would not make sense to configure an authorization ACL for that user to access FTP.
Identifying Addresses for Policy NAT and NAT Exemption (Extended)
Policy NAT lets you identify local traffic for address translation by specifying the source and destination addresses in an extended ACL. You can also optionally specify the source and destination ports. Regular NAT can only consider the local addresses.
NAT exemption statements also use ACLs, but you cannot specify the ports.
To use ACLs with NAT, perform the following tasks:
1.
2.
–
–
–
VPN Management Access (Extended)
You can use an extended ACL in VPN commands. See the following tasks for each method.
•
a.
Specify the FWSM address as the source address. Specify the remote address(es) for the destination address.
b.
•
a.
Specify the FWSM address as the source address, and the VPN pool addresses as the destination addresses.
b.
The FWSM only supports IPSec tunnels that terminate on the FWSM and that allow access to the FWSM for management purposes; you cannot terminate a tunnel on the FWSM for traffic that goes through the FWSM to another network.
Controlling Network Access for Non-IP Traffic (EtherType)
Transparent firewall mode only
You can configure an ACL that controls traffic based on its EtherType. The FWSM can control any EtherType identified by a 16-bit hexadecimal number. EtherType ACLs support Ethernet V2 frames. 802.3-formatted frames are not handled by the ACL because they use a length field as opposed to a type field. Bridge protocol data units (BPDUs), which are handled by the ACL, are the only exception: they are SNAP-encapsulated, and the FWSM is designed to specifically handle BPDUs.
To control non-IP traffic, perform the following task:
•
Redistributing OSPF Routes (Standard)
Single context mode only
Standard ACLs include only the destination address. You can use a standard ACL with the route-map command to control the redistribution of OSPF routes, perform the following tasks:
1.
2.
Access Control List Guidelines
See the following guidelines for creating ACLs:
•
•
•
Access Control Entry Order
An ACL is made up of one or more Access Control Entries (ACEs). Depending on the ACL type, you can specify the source and destination addresses, the protocol, the ports (for TCP or UDP), the ICMP type (for ICMP), or the EtherType.
Each ACE that you enter for a given ACL name is appended to the end of the ACL.
The order of ACEs is important. When the FWSM decides whether to forward or drop a packet, the FWSM tests the packet against each ACE in the order in which the entries are listed. After a match is found, no more ACEs are checked. For example, if you create an ACE at the beginning of an ACL that explicitly permits all traffic, no further statements are ever checked.
Access Control List Implicit Deny
ACLs have an implicit deny at the end of the list, so unless you explicitly permit it, traffic cannot pass. For example, if you want to allow all users to access a network through the FWSM except for particular addresses, then you need to deny the particular addresses and then permit all others.
Access Control List Commit
When you add an ACE to an ACL, the FWSM activates the ACL by committing it to the network processors. The FWSM waits a short period of time after you last entered an access-list command and then commits the ACL. This waiting period minimizes the number of times the FWSM commits the ACL. If you enter multiple ACEs within the short waiting period, or paste ACEs at the command prompt, then the FWSM does not commit the ACL until the waiting period has passed and you do not enter more entries. The FWSM displays a message similar to the following after it commits the ACL:
Access Rules Download Complete: Memory Utilization: < 1%Large ACLs of approximately 60K ACEs can take 3 to 4 minutes to commit, depending on the size.
To manually commit ACLs, see the "Manually Committing Access Control Lists and Rules" section.
For information about exceeding memory limits, see the "Maximum Number of ACEs" section.
Maximum Number of ACEs
The FWSM supports a maximum of 80K rules for the entire system in single mode, and 142K rules for multiple mode. Rules include ACEs, ACEs used for policy NAT, filters, AAA, ICMP, Telnet, SSH, HTTP, and established rules. See the "Rule Limits" section for the limits for each rule type.
Some ACLs use more memory than others, and these include ACLs that use large port number ranges or overlapping networks (for example one ACE specifies 10.0.0.0/8 and another specifies 10.1.1.0/24). Depending on the type of ACL, the actual limit the system can support will be less than 80K (single mode) or 142K (multiple mode).
If you use object groups in ACEs, the number of actual ACEs that you enter is fewer, but the number of expanded ACEs is the same as without object groups, and expanded ACEs count towards the system limit. To view the number of expanded ACEs in an ACL, enter the show access-list acl_name command.
When you add an ACE, and the FWSM compiles the ACL, the console displays the memory used in a message similar to the following:
Access Rules Download Complete: Memory Utilization: < 1%If you exceed the memory limitations, you receive an error message and a system message (106024), and all the ACLs that were added in this compilation are removed from the configuration. Only the set of ACLs that were successfully committed in the previous commitment are used. For example, if you paste 1,000 ACEs at the prompt, and the last ACE exceeds the memory limitations, all 1,000 ACEs are rejected.
IP Addresses Used for Access Control Lists When You Use NAT
When you use NAT, the IP addresses you specify for an ACL depend on the interface to which the ACL is attached; you need to use addresses that are valid on the network connected to the interface. This guideline applies for both inbound and outbound ACLs: the direction does not determine the address used, only the interface does.
For example, you want to apply an ACL to the inbound direction of the inside interface. You configure the FWSM to perform NAT on the inside source addresses when they access outside addresses. Because the ACL is applied to the inside interface, the source addresses are the original untranslated addresses. Because the outside addresses are not translated, the destination address used in the ACL is the real address (see Figure 10-1).
Figure 10-1 IP Addresses in ACLs: NAT Used for Source Addresses
See the following commands for this example:
FWSM/contexta(config)# access-list INSIDE extended permit ip 10.1.1.0 255.255.255.0 host 209.165.200.225FWSM/contexta(config)# access-group INSIDE in interface insideIf you want to allow an outside host to access an inside host, you can apply an inbound ACL on the outside interface. You need to specify the translated address of the inside host in the ACL because that address is the address that can be used on the outside network (see Figure 10-2).
Figure 10-2 IP Addresses in ACLs: NAT used for Destination Addresses
See the following commands for this example:
FWSM/contexta(config)# access-list OUTSIDE extended permit ip host 209.165.200.225 host 209.165.201.5FWSM/contexta(config)# access-group OUTSIDE in interface outsideIf you perform NAT on both interfaces, then keep in mind the addresses that are visible to a given interface. In Figure 10-3, an outside server uses static NAT so that a translated address appears on the inside network.
Figure 10-3 IP Addresses in ACLs: NAT used for Source and Destination Addresses
See the following commands for this example:
FWSM/contexta(config)# access-list INSIDE extended permit ip 10.1.1.0 255.255.255.0 host 10.1.1.56FWSM/contexta(config)# access-group INSIDE in interface insideFor an example of IP addresses used in outbound ACLs, see Figure 10-5.
Inbound and Outbound Access Control Lists
Traffic flowing across an interface in the FWSM can be controlled in two ways. Traffic that enters the FWSM can be controlled by attaching an inbound ACL to the source interface. Traffic that exits the FWSM can be controlled by attaching an outbound ACL to the destination interface. To allow any traffic to enter the FWSM, you must attach an inbound ACL to an interface; otherwise, the FWSM automatically drops all traffic that enters that interface. By default, traffic can exit the FWSM on any interface unless you restrict it using an outbound ACL, which adds restrictions to those already configured in the inbound ACL.
Note
You might want to use an outbound ACL to simplify your ACL configuration. For example, if you want to allow three inside networks on three different interfaces to access each other, you can create a simple inbound ACL that allows all traffic on each inside interface (see Figure 10-4).
Figure 10-4 Inbound ACLs
See the following commands for this example:
FWSM/contexta(config)# access-list INSIDE extended permit ip any anyFWSM/contexta(config)# access-group INSIDE in interface insideFWSM/contexta(config)# access-list HR extended permit ip any anyFWSM/contexta(config)# access-group HR in interface hrFWSM/contexta(config)# access-list ENG extended permit ip any anyFWSM/contexta(config)# access-group ENG in interface engThen, if you want to allow only certain hosts on the inside networks to access a web server on the outside network, you can create a more restrictive ACL that allows only the specified hosts and apply it to the outbound direction of the outside interface (see Figure 10-4). See the "IP Addresses Used for Access Control Lists When You Use NAT" section for information about NAT and IP addresses. The outbound ACL prevents any other hosts from reaching the outside network.
Figure 10-5 Outbound ACL
See the following commands for this example:
FWSM/contexta(config)# access-list INSIDE extended permit ip any anyFWSM/contexta(config)# access-group INSIDE in interface insideFWSM/contexta(config)# access-list HR extended permit ip any anyFWSM/contexta(config)# access-group HR in interface hrFWSM/contexta(config)# access-list ENG extended permit ip any anyFWSM/contexta(config)# access-group ENG in interface engFWSM/contexta(config)# access-list OUTSIDE extended permit tcp host 209.165.201.4 host 209.165.200.225 eq wwwFWSM/contexta(config)# access-list OUTSIDE extended permit tcp host 209.165.201.6 host 209.165.200.225 eq wwwFWSM/contexta(config)# access-list OUTSIDE extended permit tcp host 209.165.201.8 host 209.165.200.225 eq wwwFWSM/contexta(config)# access-group OUTSIDE out interface outsideAdding an Extended Access Control List
An extended ACL is made up of one or more ACEs, in which you can specify the source and destination addresses, and, depending on the ACE type, the protocol, the ports (for TCP or UDP), or the ICMP type (for ICMP). You can identify all of these parameters within the access-list command, or you can use object groups for each parameter. This section describes how to identify the parameters within the command. To use object groups, see the "Simplifying Access Control Lists with Object Grouping" section.
For TCP and UDP connections, you do not need to also apply an ACL on the destination interface to allow returning traffic, because the FWSM allows all returning traffic for established connections. See the "Stateful Inspection Feature" section for more information. For connectionless protocols such as ICMP, however, you either need ACLs to allow ICMP in both directions (by applying ACLs to the source and destination interfaces), or you need to enable the ICMP inspection engine. (See the "ICMP Inspection Engine" section.) The ICMP inspection engine treats ICMP sessions as stateful connections. For transparent mode, you can allow protocols with an extended ACL that are otherwise blocked by a routed mode FWSM, including BGP, DHCP, and multicast streams. Because these protocols do not have sessions on the FWSM to allow returning traffic, these protocols also require ACLs on both interfaces.
You can apply only one ACL of each type (extended and EtherType) to each direction of an interface. You can apply the same ACLs on multiple interfaces.
Note
To add an extended ACL and apply it to an interface, follow these steps:
Step 1
When you enter the access-list command for a given ACL name, the ACE is added to the end of the ACL.
Tip
Note
•
FWSM/contexta(config)# access-list acl_name [extended] {deny | permit} protocol source_address mask dest_address maskThis type of ACE lets you specify any protocol for the source and destination addresses, but not ports. Typically, you identify ip for the protocol, but other protocols are accepted.
Enter host before the IP address to specify a single address. In this case, do not enter a mask. Enter any instead of the address and mask to specify any address.
For a list of protocol names, see the "Protocols and Applications" section.
For information about logging options that you can add to the end of the ACE, see the "Logging Extended Access Control List Activity" section.
See the following examples:
The following ACL allows all hosts (on the interface to which you apply the ACL) to go through the FWSM:
FWSM/contexta(config)# access-list ACL_IN extended permit ip any anyThe following sample ACL prevents hosts on 192.168.1.0/24 from accessing the 209.165.201.0/27 network. All other addresses are permitted:
FWSM/contexta(config)# access-list ACL_IN extended deny tcp 192.168.1.0 255.255.255.0 209.165.201.0 255.255.255.224FWSM/contexta(config)# access-list ACL_IN extended permit ip any anyIf you want to restrict access to only some hosts, then enter a limited permit ACE. By default, all other traffic is denied unless explicitly permitted.
FWSM/contexta(config)# access-list ACL_IN extended permit ip 192.168.1.0 255.255.255.0 209.165.201.0 255.255.255.224•
FWSM/contexta(config)# access-list acl_name [extended] {deny | permit} {tcp | udp} source_address mask [operator port] dest_address mask [operator port]Enter host before the IP address to specify a single address. In this case, do not enter a mask. Enter any instead of the address and mask to specify any address.
Use an operator to match port numbers used by the source or destination. The permitted operators are as follows:
–
–
–
–
–
range 100 200For a list of permitted keywords and well-known port assignments, see the "TCP and UDP Ports" section. DNS, Discard, Echo, Ident, NTP, RPC, SUNRPC, and Talk each require one definition for TCP and one for UDP. TACACS+ requires one definition for port 49 on TCP.
For information about logging options that you can add to the end of the ACE, see the "Logging Extended Access Control List Activity" section.
See the following example:
The following ACL restricts all hosts (on the interface to which you apply the ACL) from accessing a website at address 209.165.201.29. All other traffic is allowed.
FWSM/contexta(config)# access-list ACL_IN extended deny tcp any host 209.165.201.29 eq wwwFWSM/contexta(config)# access-list ACL_IN extended permit ip any any•
FWSM/contexta(config)# access-list acl_name [extended] {deny | permit} icmp source_address mask dest_address mask [icmp_type]Enter host before the IP address to specify a single address. In this case, do not enter a mask. Enter any instead of the address and mask to specify any address.
Because ICMP is a connectionless protocol, you either need ACLs to allow ICMP in both directions (by applying ACLs to the source and destination interfaces), or you need to enable the ICMP inspection engine (see the "ICMP Inspection Engine" section). The ICMP inspection engine treats ICMP sessions as stateful connections.
To control ping, specify echo-reply (0) (FWSM to host) or echo (8) (host to FWSM). See the "ICMP Types" section for a list of ICMP types.
For information about logging options that you can add to the end of the ACE, see the "Logging Extended Access Control List Activity" section.
Step 2
FWSM/contexta(config)# access-group acl_name {in | out} interface interface_nameYou can apply one ACL of each type (extended and EtherType) to both directions of the interface. See the "Inbound and Outbound Access Control Lists" section for more information about ACL directions.
For connectionless protocols, you need to apply the ACL to the source and destination interfaces if you want traffic to pass in both directions. For example, you can allow BGP in an ACL in transparent mode, and you need to apply the ACL to both interfaces.
The following example illustrates the commands required to enable access to an inside web server with the IP address 209.165.201.12 (this IP address is the address visible on the outside interface after NAT):
FWSM/contexta(config)# access-list ACL_OUT extended permit tcp any host 209.165.201.12 eq wwwFWSM/contexta(config)# access-group ACL_OUT in interface outsideYou also need to configure NAT for the web server. See the "Using Static NAT" section for more information.
The following ACLs allow all hosts to communicate between the inside and hr networks, but only specific hosts to access the outside network:
FWSM/contexta(config)# access-list ANY extended permit ip any anyFWSM/contexta(config)# access-list OUT extended permit ip host 209.168.200.3 anyFWSM/contexta(config)# access-list OUT extended permit ip host 209.168.200.4 anyFWSM/contexta(config)# access-group ANY in interface insideFWSM/contexta(config)# access-group ANY in interface hrFWSM/contexta(config)# access-group OUT out interface outsideAdding an EtherType Access Control List
Transparent firewall mode only
An EtherType ACE controls any EtherType identified by a 16-bit hexadecimal number. You can identify some types by a keyword for convenience.
Because EtherTypes are connectionless, you need to apply the ACL to both interfaces if you want traffic to pass in both directions.
For example, you can permit or deny bridge protocol data units (BPDUs). By default, all BPDUs are denied. The FWSM receives trunk port (Cisco proprietary) BPDUs because FWSM ports are trunk ports. Trunk BPDUs have VLAN information inside the payload, so the FWSM modifies the payload with the outgoing VLAN if you allow BPDUs. If you use failover, you must allow BPDUs on both interfaces with an EtherType ACL to avoid bridging loops.
If you allow MPLS, ensure that Label Distribution Protocol (LDP) and Tag Distribution Protocol (TDP) TCP connections are established through the FWSM by configuring both MPLS routers connected to the FWSM to use the IP address on the FWSM interface as the router-id for LDP or TDP sessions. (LDP and TDP allow MPLS routers to negotiate the labels (addresses) used to forward packets.)
On Cisco IOS routers, enter the appropriate command for your protocol, LDP or TDP. The interface is the interface connected to the FWSM:
router(config)# mpls ldp router-id interface forceOr
router(config)# tag-switching tdp router-id interface forceYou can apply only one ACL of each type (extended and EtherType) to each direction of an interface. You can also apply the same ACLs on multiple interfaces.
To add an EtherType ACL and apply it to an interface, follow these steps:
Step 1
FWSM/contexta(config)# access-list acl_name ethertype {permit | deny} {ipx | bpdu | mpls-unicast | mpls-multicast | any | hex_number}The hex_number is any EtherType that can be identified by a 16-bit hexadecimal number greater than or equal to 0x600. See RFC 1700, "Assigned Numbers," at http://www.ietf.org/rfc/rfc1700.txt for a list of EtherTypes.
When you enter the access-list command for a given ACL name, the ACE is added to the end of the ACL.
Tip
Step 2
FWSM/contexta(config)# access-group acl_name {in | out} interface interface_nameYou can apply one ACL of each type (extended and EtherType) to both directions of the interface. See the "Inbound and Outbound Access Control Lists" section for more information about ACL directions.
Because EtherTypes are connectionless, you need to apply the ACL to both interfaces if you want traffic to pass in both directions.
For example, the following sample ACL allows common EtherTypes originating on the inside interface:
FWSM/contexta(config)# access-list ETHER ethertype permit ipxFWSM/contexta(config)# access-list ETHER ethertype permit bpduFWSM/contexta(config)# access-list ETHER ethertype permit mpls-unicastFWSM/contexta(config)# access-group ETHER in interface insideThe following ACL allows some EtherTypes through the FWSM, but denies IPX:
FWSM/contexta(config)# access-list ETHER ethertype deny ipxFWSM/contexta(config)# access-list ETHER ethertype permit 0x1234FWSM/contexta(config)# access-list ETHER ethertype permit bpduFWSM/contexta(config)# access-list ETHER ethertype permit mpls-unicastFWSM/contexta(config)# access-group ETHER in interface insideFWSM/contexta(config)# access-group ETHER in interface outsideThe following ACL denies traffic with EtherType 0x1256 but allows all others on both interfaces:
FWSM/contexta(config)# access-list nonIP ethertype deny 1256FWSM/contexta(config)# access-list nonIP ethertype permit anyFWSM/contexta(config)# access-group ETHER in interface insideFWSM/contexta(config)# access-group ETHER in interface outsideAdding a Standard Access Control List
Single context mode only
Standard ACLs identify the destination IP addresses of OSPF routes, and can be used in a route map for OSPF redistribution. Standard ACLs cannot be applied to interfaces to control traffic.
The following command adds a standard ACE. To add another ACE at the end of the ACL, enter another access-list command specifying the same ACL name. Apply the ACL using the "Adding a Route Map" section.
To add an ACE, enter the following command:
FWSM(config)# access-list acl_name standard {deny | permit} {any | ip_address mask}The following sample ACL identifies routes to 192.168.1.0/24:
FWSM(config)# access-list OSPF standard permit 192.168.1.0 255.255.255.0Simplifying Access Control Lists with Object Grouping
This section describes how to use object grouping to simplify ACL creation and maintenance, and includes the following topics:
•
How Object Grouping Works
By grouping like-objects together, you can use the object group in an ACE instead of having to enter an ACE for each object separately. You can create the following types of object groups:
•
•
•
•
For example, consider the following three object groups:
•
•
•
After creating these groups, you could use a single ACE to allow trusted hosts to make specific service requests to a group of public servers.
You can also nest object groups in other object groups.
Note
Adding Object Groups
This section describes how to add object groups, and includes the following topics:
•
•
•
•
Note
Adding a Protocol Object Group
To add or change a protocol object group, follow these steps. After you add the group, you can add more objects as required by following this procedure again for the same group name and specifying additional objects. You do not need to reenter existing objects; the commands you already set remain in place unless you remove them with the no form of the command.
To add a protocol group, follow these steps:
Step 1
FWSM/contexta(config)# object-group protocol grp_idThe grp_id is a text string up to 64 characters in length.
The prompt changes to the protocol subcommand mode.
Step 2
FWSM/contexta(config-protocol)# description textThe description can be up to 200 characters.
Step 3
FWSM/contexta(config-protocol)# protocol-object protocolThe protocol is the numeric identifier of the specific IP protocol (1 to 254) or a keyword identifier (for example, icmp, tcp, or udp). To include all IP protocols, use the keyword ip. For a list of protocols you can specify, see the "Protocols and Applications" section.
For example, to create a protocol group for TCP, UDP, and ICMP, enter the following commands:
FWSM/contexta(config)# object-group protocol tcp_udp_icmpFWSM/contexta(config-protocol)# protocol-object tcpFWSM/contexta(config-protocol)# protocol-object udpFWSM/contexta(config-protocol)# protocol-object icmpAdding a Network Object Group
To add or change a network object group, follow these steps. After you add the group, you can add more objects as required by following this procedure again for the same group name and specifying additional objects. You do not need to reenter existing objects; the commands you already set remain in place unless you remove them with the no form of the command.
To add a network group, follow these steps:
Step 1
FWSM/contexta(config)# object-group network grp_idThe grp_id is a text string up to 64 characters in length.
The prompt changes to the network subcommand mode.
Step 2
FWSM/contexta(config-network)# description textThe description can be up to 200 characters.
Step 3
FWSM/contexta(config-network)# network-object {host ip_address | ip_address mask}For example, to create network group that includes the IP addresses of three administrators, enter the following commands:
FWSM/contexta(config)# object-group network adminsFWSM/contexta(config-network)# description Administrator AddressesFWSM/contexta(config-network)# network-object host 10.1.1.4FWSM/contexta(config-network)# network-object host 10.1.1.78FWSM/contexta(config-network)# network-object host 10.1.1.34Adding a Service Object Group
To add or change a service object group, follow these steps. After you add the group, you can add more objects as required by following this procedure again for the same group name and specifying additional objects. You do not need to reenter existing objects; the commands you already set remain in place unless you remove them with the no form of the command.
To add a service group, follow these steps:
Step 1
FWSM/contexta(config)# object-group service grp_id {tcp | udp | tcp-udp}The grp_id is a text string up to 64 characters in length.
Specify the protocol for the services (ports) you want to add, either tcp, udp, or tcp-udp. Enter tcp-udp if your service uses both TCP and UDP with the same port number, for example, DNS (port 53).
The prompt changes to the service subcommand mode.
Step 2
FWSM/contexta(config-service)# description textThe description can be up to 200 characters.
Step 3
FWSM/contexta(config-service)# port-object {eq port | range begin_port end_port}For a list of permitted keywords and well-known port assignments, see the "Protocols and Applications" section.
For example, to create service groups that include DNS (TCP/UDP), LDAP (TCP), and RADIUS (UDP), enter the following commands:
FWSM/contexta(config)# object-group service services1 tcp-udpFWSM/contexta(config-service)# description DNS GroupFWSM/contexta(config-service)# port-object eq domainFWSM/contexta(config-service)# object-group service services2 udpFWSM/contexta(config-service)# description RADIUS GroupFWSM/contexta(config-service)# port-object eq radiusFWSM/contexta(config-service)# port-object eq radius-acctFWSM/contexta(config-service)# object-group service services3 tcpFWSM/contexta(config-service)# description LDAP GroupFWSM/contexta(config-service)# port-object eq ldapAdding an ICMP Type Object Group
To add or change an ICMP type object group, follow these steps. After you add the group, you can add more objects as required by following this procedure again for the same group name and specifying additional objects. You do not need to reenter existing objects; the commands you already set remain in place unless you remove them with the no form of the command.
To add an ICMP type group, follow these steps:
Step 1
FWSM/contexta(config)# object-group icmp-type grp_idThe grp_id is a text string up to 64 characters in length.
The prompt changes to the ICMP type subcommand mode.
Step 2
FWSM/contexta(config-icmp-type)# description textThe description can be up to 200 characters.
Step 3
FWSM/contexta(config-icmp-type)# icmp-object icmp_typeSee the "ICMP Types" section for a list of ICMP types.
For example, to create an ICMP type group that includes echo-reply and echo (for controlling ping), enter the following commands:
FWSM/contexta(config)# object-group icmp-type pingFWSM/contexta(config-service)# description Ping GroupFWSM/contexta(config-icmp-type)# icmp-object echoFWSM/contexta(config-icmp-type)# icmp-object echo-replyNesting Object Groups
To nest an object group within another object group of the same type, first create the group that you want to nest according to the "Adding Object Groups" section. Then follow these steps:
Step 1
FWSM/contexta(config)# object-group {{protocol | network | icmp-type} grp_id | service grp_id {tcp | udp | tcp-udp}}Step 2
FWSM/contexta(config-group_type)# group-object grp_idThe nested group must be of the same type.
You can mix and match nested group objects and regular objects within an object group.
For example, you create network object groups for privileged users from various departments:
FWSM/contexta(config)# object-group network engFWSM/contexta(config-network)# network-object host 10.1.1.5FWSM/contexta(config-network)# network-object host 10.1.1.9FWSM/contexta(config-network)# network-object host 10.1.1.89FWSM/contexta(config-network)# object-group network hrFWSM/contexta(config-network)# network-object host 10.1.2.8FWSM/contexta(config-network)# network-object host 10.1.2.12FWSM/contexta(config-network)# object-group network financeFWSM/contexta(config-network)# network-object host 10.1.4.89FWSM/contexta(config-network)# network-object host 10.1.4.100You then nest all three groups together as follows:
FWSM/contexta(config)# object-group network adminFWSM/contexta(config-network)# group-object engFWSM/contexta(config-network)# group-object hrFWSM/contexta(config-network)# group-object financeYou only need to specify the admin object group in your ACE as follows:
FWSM/contexta(config)# access-list ACL_IN extended permit ip object-group admin host 209.165.201.29Using Object Groups with an Access Control List
To use object groups in an ACL, replace the normal protocol (protocol), network (source_address mask, etc.), service (operator port), or ICMP type (icmp_type) parameter with object-group grp_id.
For example, to use object groups for all available parameters in the access-list {tcp | udp} command, enter the following command:
FWSM(config)# access-list acl_name [extended] {deny | permit} {tcp | udp} object-group nw_grp_id [object-group svc_grp_id] object-group nw_grp_id [object-group svc_grp_id] [log [[level] [interval secs] | disable | default]]You do not have to use object groups for all parameters; for example, you can use an object group for the source address, but identify the destination address with an address and mask.
The following normal ACL that does not use object groups restricts several hosts on the inside network from accessing several web servers. All other traffic is allowed.
FWSM/contexta(config)# access-list ACL_IN extended deny tcp host 10.1.1.4 host 209.165.201.29 eq wwwFWSM/contexta(config)# access-list ACL_IN extended deny tcp host 10.1.1.78 host 209.165.201.29 eq wwwFWSM/contexta(config)# access-list ACL_IN extended deny tcp host 10.1.1.89 host 209.165.201.29 eq wwwFWSM/contexta(config)# access-list ACL_IN extended deny tcp host 10.1.1.4 host 209.165.201.16 eq wwwFWSM/contexta(config)# access-list ACL_IN extended deny tcp host 10.1.1.78 host 209.165.201.16 eq wwwFWSM/contexta(config)# access-list ACL_IN extended deny tcp host 10.1.1.89 host 209.165.201.16 eq wwwFWSM/contexta(config)# access-list ACL_IN extended deny tcp host 10.1.1.4 host 209.165.201.78 eq wwwFWSM/contexta(config)# access-list ACL_IN extended deny tcp host 10.1.1.78 host 209.165.201.78 eq wwwFWSM/contexta(config)# access-list ACL_IN extended deny tcp host 10.1.1.89 host 209.165.201.78 eq wwwFWSM/contexta(config)# access-list ACL_IN extended permit ip any anyFWSM/contexta(config)# access-group ACL_IN in interface insideIf you make two network object groups, one for the inside hosts, and one for the web servers, then the configuration can be simplified and can be easily modified to add more hosts:
FWSM/contexta(config)# object-group network deniedFWSM/contexta(config-network)# network-object host 10.1.1.4FWSM/contexta(config-network)# network-object host 10.1.1.78FWSM/contexta(config-network)# network-object host 10.1.1.89FWSM/contexta(config-network)# object-group network web </
