Getting Started: Configuring Cisco Router ACL

This guide walks through the steps of using Firewall Builder to configure a Cisco router Access Control List (ACL). The examples will be based on a router with the configuration shown in the diagram below.

Step 1: Creating Objects

Firewall Builder is based on the concept of objects. There are a variety of different object types that can be used to define IP objects that can be used as the Source and Destination in your router ACL rules. Two of the most common IP objects used in Cisco access lists are Networks and Addresses.

Network Objects

To create a Network object, for example a network to represent the internal network in the diagram above, go to the object tree on the left side of the screen and double-click the folder labeled Objects to expand it. Right click on the folder called Networks and select “New Network”. This creates a new network object. In the lower portion of your screen, called the Editor Panel, you can modify the properties of this object.

Change the object name to something that matches the function, in this example we are going to call it “Internal Network” to represent the network connected to our "inside" interface. The address is set to and the netmask is

NOTE: When editing the attributes of an object there is no Apply or Submit button. Once you edit an attribute as soon as you move away from the field you were editing the change will take effect immediately.

Address Objects

To create an object that represents a single IP address, similar to the host parameter in a Cisco access list, go to the object tree and right-click on the Addresses folder and select "New Address". In the Editor Panel change the name of the object to something that reflects its function, for example “POP3 Server”, and set the IP address.

Step 2: Define The Router

Firewall Builder refers to devices that support filtering rules as firewalls. To create a firewall object to represent your router click on the “Create new firewall” icon on the main window of Firewall Builder. This will launch a wizard that walks you through creating your router.

Enter a name for the firewall object, in this example we will use la-rtr-1. Change the drop down menu for software that is running on the firewall to be “Cisco IOS ACL”.

Click the "Next >" button to continue to the next step in the wizard.

When creating a firewall in Firewall Builder you have a choice of configuring interfaces manually, or you can use SNMP discovery if you have SNMP enabled on your router and you have know the Read-Only or Read-Write community string. For this example we are going to configure the router interfaces manually.

Click the "Next >" button to continue to the next step.

The firewall that you create in Firewall Builder needs to match the router that you want to deploy the access lists on. This means that the interface names and IP addresses in the firewall object that you are creating must match exactly to what is configured on the router.

Click the green icon to add a new interface to the router. Enter the name of the router exactly as it is shown on a router command line when you run “show ip interfaces brief” command. In our example the interfaces are FastEthernet0/0 and FastEthernet0/1.

Set the interface name as FastEthernet0/0 and set the label to outside. Click on the Add address button and set the IP address to with a netmask of

Click the green icon to add another interface to the router. Enter the information in to the wizard to match the second interface as follows:

Click on the Finish button.

After you create the firewall object representing the router that you will be installing the access lists on will be displayed in the object tree on the left side. The Policy object, which is where the access list rules are configured, is automatically opened in the main window.

Before moving on you should save our data file that contains the new firewall object that you just created. Do this by going to the File -> Save As menu item. Choose a name and location to save the file to.


Copyright © 2000-2012 NetCitadel, Inc. All rights reserved.
 Using free CSS Templates.