Access Lists
An access list typically consists of multiple access control entries (ACE) organized internally
by Security Appliance as a linked list. When a packet is subjected to access list control, the
Cisco Security Appliance searches this linked list linearly to find a matching element. The
matching element is then examined to determine if the packet is to be transmitted or
dropped. By default, all access-list commands have an implicit deny unless you explicitly
specify permit. In other words, by default, all access in an access list is denied unless you
explicitly grant access using a permit statement.
The general syntax of the access-list command is as follows:
access-list id [line line-num] deny|permit {protocol |
object-group prot-obj-grp-id} {source-addr source-mask} |
object-group netw-grp-grp-id [operator port [port] | interface if-name
| object-group service-obj-grp-id ]
{destination-addr destination-mask} | object-group new-obj-grp-id |
[operator port [port] | object-group service-obj-grp-id]}
[log [disable | default] | [level]]
Table 7-3 describes the parameters for the access-list command.
NOTE Policy NAT does not support SQL*Net, which is supported by regular NAT.
Table 7-3 access-list Command Parameters
Parameter Description
id Name of an access list. You can use either a name or number.
line-num The line number at which to insert a remark or an ACE.
deny The deny option does not allow a packet to traverse the PIX
Firewall.
permit The permit option selects a packet to traverse the PIX Firewall.
protocol Name or number of an IP protocol. It can be one of the
keywords icmp, ip, tcp, or udp, or an integer in the range of 1 to
254 representing an IP protocol number. To match any Internet
protocol, including ICMP, TCP, and UDP, use the keyword ip.
object-group Specifies an object group.
source-addr Address of the network or host from which the packet is being
sent.
source-mask Netmask bits (mask) to be applied to source-addr, if the source
address is for a network mask.
continues