Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Access-list with options flags SYN, ACK in ASA/PIX

Hi,

How is it possible to create an access-list on the ASA or PIX using the TCP flags such as syn, ack, etc. I tried to create here but it did not work nor appears options.

Regards

4 REPLIES
Hall of Fame Super Blue

Re: Access-list with options flags SYN, ACK in ASA/PIX

Ricardo

What exactly are you trying to achieve. A stateful firewall such as the pix/asa already checks these flags as traffic goes through the device. Is there something specific you need ?

Jon

New Member

Re: Access-list with options flags SYN, ACK in ASA/PIX

hi, John

I would create an access-list where I could block the traffic in a way that is, an example would be two networks 192.168.0.0/24 and 172.16.0.0/16, only allow ssh connections starting from the network 192.168.0.0/24 and would return only for the already established connections and block all the rest. It would be like following the rules.

access-list 102 permit tcp 192.168.0.0 0.0.0.255 172.16.0.0 0.0.255.255 eq 22 syn

access-list 102 permit tcp 172.16.0.0 0.0.255.255 192.168.0.0 0.0.0.255 eq 22 established

access-list 102 deny tcp 172.16.0.0 0.0.255.255 192.168.0.0 0.0.0.255

Regards

Hall of Fame Super Blue

Re: Access-list with options flags SYN, ACK in ASA/PIX

Ricardo

That is exactly what a pix/asa will do for you automatically.

So for you setup you need to put the 192.168.0.0/24 on a higher security interface than the 172.16.0.0/16 network.

If you do this then connections can be initiated from the 192.168.0.0/24 network to the 172.16.0.0/16 network and the return traffic will be automatically allowed. However traffic will not be allowed to be initiated from the 172.16.0.0/16 network to the 192.168.0.0/24 network unless you explicitly allow it with an access-list.

Jon

New Member

Re: Access-list with options flags SYN, ACK in ASA/PIX

Hi,

this then that. The network is 192.168.0.0/24 with security level 100 is the 172.16.0.0/16 network security level 90, is still not working. I created the following acl's:

access-list net-lab_access_in extended permit ip 192.16.1.0 255.255.255.0 172.16.0.0 255.255.0.0

access-list net-lab_access_in extended permit ip 192.16.1.0 255.255.255.0 10.0.0.0 255.255.255.0

And there is the implicit deny, which blocks the back, if that would also make the network 172.16.0.0/16. These access-list's are applied to interface with IP address 172.16.0.0/16

regards

1250
Views
0
Helpful
4
Replies
CreatePlease to create content