The actual configuration of the ACL on a PIX Security Appliance is
relatively simple. An ACL is implemented using the
access-list command and the
access-group command
. The
access-list command is used to create an ACL, and the
access-group command applies the ACL to the specific
interface on the PIX. Keep in mind that only one ACL can be bound to an
interface at a time using the access-group command. PIX
ACLs differ from ACLs on Cisco IOS routers in that the PIX does not use a
wildcard mask like Cisco IOS. It uses a regular subnet mask in the ACL
definition. As with Cisco IOS routers, the PIX ACL has an implicit deny all at
the end of the ACL.
These commands are examined as part of the Command
Reference. Look at these commands and their various capabilities as well as the
nat 0 access-list command, which allows an ACL to define
traffic that is to be excluded from the NAT process
.
It is
important to realize that there is more to configuring ACLs on the PIX Security
Appliance than simply creating and applying the configuration. ACLs are a
powerful tool that can create many network issues if the network administrator
does not plan their use well. Before the administrator can begin to configure
an ACL on the PIX, it is necessary to have a thorough understanding of the
traffic that will be filtered and the user requirements of the network. If the
appropriate preparation is not done, it is extremely easy to accidentally
disallow business-critical traffic. Use the guidelines shown in Figure
for specifying a
source, local, or destination address.
The show
access-list command lists the access-list
command statements in the configuration. The show
access-list command also lists a hit count that indicates the number
of times an element has been matched during an access-list
command search.
The clear access-list command is used
to clear an access list counter. If no ACL is specified, all of the access list
counters are cleared. If the counters option is specified,
it clears the hit count for the specified ACL. If no ACL is specified all the
access lists counters are cleared.
The no access-list
command removes an access-list command from the
configuration. If all of the access-list command statements
in an ACL group are removed, the no access-list command
also removes the corresponding access-group command from
the configuration.
The access-list mode command
allows the administrator to specify whether the defined ACL should be active
immediately or when specified.
. The
access-list commit command activates the previously created
ACL
.