Access Control Lists
As discussed in Chapter 5, "Network Access Control," you can use access control lists (ACLs) to filter traffic passing through Cisco ASA. You can set up a traffic-filtering ACL under Configuration > Features > Security Policy > Access Rules. Click Add to create a new ACL. Figure 19-1 shows a new access control entry (ACE) added into ASDM to block web traffic coming in from the outside host located at 209.165.201.1 to an inside web server located at 209.165.202.131. This ACE is a part of an ACL, which is automatically created by ASDM and applied to the interface. ASDM provides a nice Rule Flow Diagram section to illustrate how the ACL policy will be applied to the traffic. The source or destination host/network addresses may be IP addresses, an interface name, or an object group. You may also enter a description at the bottom of the screen to label the purpose of this entry.
Figure 19-1. Setting Up an ACE
Note
An ACE is referred to as an access rule in the ASDM interface.
Figure 19-2 illustrates the complete ACL with two ACEs.
Figure 19-2. Displaying the Entire ACL
The first entry denies the traffic originating from the host located at 209.165.201.1. The second entry allows web traffic to pass through Cisco ASA if it is either of the following:
- Sourced from any IP address, except the one that is blocked.
- Destined for the IP address of the web server.
Example 19-1 shows the corresponding ACL generated by ASDM. The ACL name is outside_access_in and it is applied to the outside interface in the inbound direction.
Example 19-1. ACL Generated by ASDM
access-list outside_access_in remark ACE to block web-traffic destined to 209.165.202.131 from 209.165.201.1 access-list outside_access_in extended deny tcp host 209.165.201.1 host 209.165.202.131 eq www access-list outside_access_in extended permit tcp any host 209.165.202.131 eq www access-group outside_access_in in interface outside
The use of object groups can simplify both the CLI and GUI configuration if numerous hosts need to be filtered using similar properties. For network-based object groups, Cisco ASA needs to know where a host or a network exists. To accomplish this, navigate to Configuration > Features > Building Blocks > Host/Networks and then click Add under Hosts/Networks Groups. You can enter the IP addresses of the hosts either by clicking Existing Hosts and Networks and adding them from the list or by clicking New Host or Network, typing the new address, and then adding it with the Add button, as shown in Figure 19-3. The existing hosts are the previously added hosts in the ASDM list. The administrator has named this object group inside_web_servers and has grouped three inside IP addresses in the list.
Figure 19-3. Defining an Object Group in ASDM
After defining the object groups, you can map an ACE, as shown in Figure 19-4. The traffic from the outside hosts defined in the outside_hosts network group is allowed to pass through Cisco ASA to the hosts on the inside network that are identified in the inside_web_servers group on TCP port 80.
Figure 19-4. Mapping an Object Group in ASDM
Example 19-2 shows the configuration generated by ASDM when using object groups.
Example 19-2. ACL with Object Groups Generated by ASDM
object-group network inside_web_servers network-object 209.165.202.131 255.255.255.255 network-object 209.165.202.132 255.255.255.255 network-object 209.165.202.135 255.255.255.255 object-group network outside_hosts network-object 209.165.201.1 255.255.255.255 network-object 209.165.201.2 255.255.255.255 network-object 209.165.201.10 255.255.255.255 access-list outside_access_in line 1 extended permit tcp object-group outside_hosts object-group inside_web_servers eq 80 access-group outside_access_in in interface outside
Using ASDM, you can configure a security Cisco ASA to filter ActiveX and Java applets from the traffic passing through it. To set this up, choose Configuration > Features > Security Policy > Filter Rules, which results in the window shown in Figure 19-5. Here, Cisco ASA is being set up to filter ActiveX code from the web requests that originated from the inside network 209.165.202.128/27 and are destined for any address on the outside network.
Figure 19-5. Content Filtering