How to Use Access-Lists on a Cisco ASA Security Appliance: Cisco ASA Training 101

Thanks for the video, it helped me understand a configuration error.

Thanks for your comment. I'm glad it was helpful.

nice and simple, i loved this,,

you are simply awesome......Thanks sir..!

Very informative. Thx a lot

You can also search on "how to block a website with cisco router access-list", especially at the Cisco website for some examples.

Thank you very much the awesome tutorial. It is really helpful. But the pdf is not available in the mentioned location.

If you're confident that the three websites' IP addresses will not change and the IP addresses of you and your boss will not change, you can configure an extended ACL to permit you and your boss (the source addresses) access to the websites (the destination addresses), then deny everyone else access to those three websites, and finally permit all other traffic. It's not a very elegant solution, but it should work. It's covered in the video and also in chapter seven of my Cisco ASA book.

Great video series, got a question re ACL with VPN traffic.Even though I create an ACL and apply it to the interface it doesn't seem to work. I also have a NO_NAT ACL in place the logs show the traffic is trying to be NATed? Also in the Firewall section under Service Policy Rules the global policy in the rule action you can enable ICMP traffic through the ASA.

Good question. There are many enhancements to the ASA software commands compared to IOS commands, such as the ability to such as the ability to use higher-level commands while in submodes and the automatic appending of classful subnet masks when configuring IP addresses on interfaces. I've always assumed that the use of standard masks instead of inverse masks was a usability enhancement. If anyone knows something different, please comment. I haven't found anything online indicating otherwise.

Hi, excellent video. For testing purposes I have packet tracer ASA Cisco Adaptive Security Appliance Software Version 8.4(2)
Device Manager Version 6.4(5)
Not all the commands are available for this testing version so I'm not being able to permit TCP traffic on Port 80.
Details:
object network WEB-SERV
host X.X.X.X
nat (inside,outside) dynamic interface
access-list TEST permit tcp any host X.X.X.X eq www
access-group TEST in interface outside
The above configuration is not working. Please also bear in mind that I have a Server directly connected to the outside interface acting as a Web Server on the Internet.

I have one query regarding asa 8.0 while configuring dual nat for backup isp.
1- primary isp - we have multiple vlans on layer 3 switch connected to firewall and firewall connected to first 2900 router with public ip. translation are working on firewall - nat (inside) 1 172.29.0.0 255.255.0.0 and global (outside) 1 interface
note- we have 172.29.1.0 to 172.29.200.0 vlans on layer 3 switch.
only 1 firewall with 3 interface - inside int to layer 3 and outside int to first 2900 router and backup int to 2800 router.
2- backup link - configure on the same firewall to second 2800 router with public ip.. Nat translation are working on same asa- i have configured global (backup) 1 interface with nat (inside) 1 172.29.0.0 255.255.0.0
I want to that when primary link goes down the vlan 172.29.1.0 can only access the backup link not other vlans.
please send me the configurations if possible. ACL or NAT ?

No worries. It can be dangerous to use the Internet while under the influence. :)

Sorry "ackle" doesn't work for you. It's pretty common to refer to ACLs as "ackles". Thanks for making me aware of it. I doubt I'll change, but now that I know it bothers at least one person, I'll watch to see if any students cringe when I say "ackle". If I see large numbers wrenching their faces, I'll change. Maybe I'm wrong. Anyone else feel the same way?

Sorry, I was only mucking around. and probably drunk.

can't watch this. Can't say 'ackle'. grrr!