Configure ACLs and Content Filters
Configuring ACLs

The actual configuration of the ACL on a PIX Security Appliance is relatively simple. An ACL is implemented using the access-list command and the access-group command  . The access-list command is used to create an ACL, and the access-group command applies the ACL to the specific interface on the PIX. Keep in mind that only one ACL can be bound to an interface at a time using the access-group command. PIX ACLs differ from ACLs on Cisco IOS routers in that the PIX does not use a wildcard mask like Cisco IOS. It uses a regular subnet mask in the ACL definition. As with Cisco IOS routers, the PIX ACL has an implicit deny all at the end of the ACL.

These commands are examined as part of the Command Reference. Look at these commands and their various capabilities as well as the nat 0 access-list command, which allows an ACL to define traffic that is to be excluded from the NAT process .

It is important to realize that there is more to configuring ACLs on the PIX Security Appliance than simply creating and applying the configuration. ACLs are a powerful tool that can create many network issues if the network administrator does not plan their use well. Before the administrator can begin to configure an ACL on the PIX, it is necessary to have a thorough understanding of the traffic that will be filtered and the user requirements of the network. If the appropriate preparation is not done, it is extremely easy to accidentally disallow business-critical traffic. Use the guidelines shown in Figure for specifying a source, local, or destination address.

The show access-list command lists the access-list command statements in the configuration. The show access-list command also lists a hit count that indicates the number of times an element has been matched during an access-list command search.

The clear access-list command is used to clear an access list counter. If no ACL is specified, all of the access list counters are cleared. If the counters option is specified, it clears the hit count for the specified ACL. If no ACL is specified all the access lists counters are cleared.

The no access-list command removes an access-list command from the configuration. If all of the access-list command statements in an ACL group are removed, the no access-list command also removes the corresponding access-group command from the configuration.

The access-list mode command allows the administrator to specify whether the defined ACL should be active immediately or when specified. . The access-list commit command activates the previously created ACL .