Can someone show me a good guide to writing an access list?

1) Every ACL command starts with "Access-list".

Command Thus far: "Access-list"

2) Every ACL must have a group name, to group the list together. We'll use "test".

Command Thus far: "Access-list test"

3) Every ACL command must specify whether to permit or deny. For this example, we'll use "deny".

Command Thus far: "access-list test deny"

4) Every ACL must specify what protocol to filter by. IP, TCP, UDP, etc.. We'll use "IP" for this.

Command Thus far: "access-list test deny ip"

5) Every ACL must specify what addresses to apply the filter to. Remember that the first address listed is ALWAYS the SOURCE address. Now let's also assume our Network Admin hates google, and is paranoid.. so he wants to block all access he thinks google is trying to make to his system..

Command Thus far: "access-list test deny ip 64.233.167.147 255.255.255.255"

Note: You use 255.255.255.255 to specify that we are dealing with one host. You can also use the following command to shorten the ACL further:

Command Thus far: "access-list test deny ip host 64.233.167.147"

Note: This method reduces characters used, and helps make the command more understandable, as you are blocking that one host.

6) Every ACL must also specify the hosts to which the source is trying to reach.. we'll assume we have multiple networks inside our network.. 193.100.1.0 and 193.100.4.0

Command thus far: "access-list test deny ip host 64.233.167.147 193.100.0.0 255.255.0.0

Note: This will effectively block google from making a connection to both networks, and all networks between and after on that network.. to shorten that up, you can use the following to block google from making connections to "ALL or ANY networks" inside.

Completed ACL Command: "access-list test deny ip host 64.233.167.147 any"

Note: As you notice, this reduced characters dramatically, and effectively blocks the host google from connection to ANY node or network on any interface connected to the PIX.

7) Now, if you wanted to filter by port #, say port 80, as every paranoid Network Admin knows.. when google reaches out to hack you, it will only do so on port 7485.. and using TCP of course.. here is what it would look like.

Completed ACL Command: "access-list test deny tcp host 64.233.167.147 any eq 7485

Note: As you notice, we added "eq" to the equation. This indicator tells the PIX that the next modifier is the port to filter on.

8) And then of course, you must bind the access-list to an interface..

Command: "access-group test in interface outside"

Note: This command binds access-list test to all traffic coming into the outside interface. The command will always be the same, except the access-list name and interface.. always into an interface"

This specific example showed how to make an ACL which filters traffic coming from the "outside" into the PIX. The same can be applied to any interface, as long as you make sure to remember that the first address is the "source", and the second is the "destination". So for an ACL covering the "inside" interface, you must specify the internal host or network first, before the public IP or network.

I hope this helps!
Lloyd Severence