access-list [name] extended deny [proto] [src] [dst] log
Creates or modifies an extended access control list (ACL) entry that denies traffic matching specified protocol, source, and destination, with logging enabled.
Overview
The 'access-list [name] extended deny [protocol] [src] [dst] log' command is used on Cisco ASA firewalls to create an extended access control list (ACL) entry that denies traffic matching specified criteria and logs the denied packets. Extended ACLs are the primary method for filtering traffic based on Layer 3 and Layer 4 information, such as source/destination IP addresses, protocols (TCP, UDP, ICMP, etc.), and port numbers. The 'deny' keyword instructs the firewall to drop matching packets, while 'log' enables syslog generation for each match, which is crucial for security monitoring and troubleshooting.
This command is typically used in security policies to block unwanted traffic, such as preventing external hosts from accessing internal services or stopping malicious traffic. On the ASA, ACLs are applied to interfaces using the 'access-group' command in either inbound or outbound direction. The ASA processes ACLs in a top-down order; the first matching entry determines the action (permit or deny). If no match is found, the default action is to deny all traffic (implicit deny).
In troubleshooting workflows, this command helps identify blocked traffic by examining hit counts and syslog messages. For example, if a user cannot reach a server, checking the ACL hit counts can reveal if traffic is being denied. The logging feature provides real-time alerts for denied packets, aiding in security incident detection. Understanding how to read and interpret ACL logs is essential for network security professionals.
access-list [name] extended deny [protocol] [source_ip source_mask] [destination_ip destination_mask] logWhen to Use This Command
- Block all traffic from a specific malicious IP address to your internal network.
- Deny Telnet (TCP port 23) traffic from any source to a specific server subnet.
- Prevent ICMP echo requests (ping) from external sources to internal hosts.
- Log and drop all traffic from a known botnet command-and-control server.
Parameters
| Parameter | Syntax | Description |
|---|---|---|
| name | string (e.g., OUTSIDE, INSIDE) | The name of the access list. It is case-sensitive and must be unique. Typically named after the interface or direction it is applied to. |
| protocol | ip | tcp | udp | icmp | protocol-number | The protocol to match. Common values: ip (all IP protocols), tcp, udp, icmp. You can also use a numeric protocol number (e.g., 6 for TCP). |
| source_ip source_mask | host A.B.C.D | A.B.C.D netmask | any | The source IP address and mask. Use 'host' for a single IP, a network address with a subnet mask, or 'any' for all sources. |
| destination_ip destination_mask | host A.B.C.D | A.B.C.D netmask | any | The destination IP address and mask. Same format as source. |
| log | log | Enables logging for this ACL entry. When present, the ASA generates a syslog message for each packet matching this entry. Without 'log', no logging occurs. |
Command Examples
Deny ICMP from a specific host to any destination
access-list OUTSIDE extended deny icmp host 10.10.10.10 any logaccess-list OUTSIDE extended deny icmp host 10.10.10.10 any log (hitcnt=0)
The ACL entry denies ICMP from host 10.10.10.10 to any destination. The hitcnt shows 0 matches so far.
Deny TCP port 23 from any to a specific subnet
access-list INSIDE extended deny tcp any 192.168.1.0 255.255.255.0 eq 23 logaccess-list INSIDE extended deny tcp any 192.168.1.0 255.255.255.0 eq telnet log (hitcnt=5)
Denies Telnet traffic from any source to the 192.168.1.0/24 subnet. The hitcnt of 5 indicates 5 matches have occurred.
Understanding the Output
When you configure an access-list entry with the 'log' keyword, the ASA will log each packet that matches the entry. The output of 'show access-list' displays the ACL entries along with hit counts (hitcnt). A hitcnt of 0 means no traffic has matched that entry yet. Increasing hitcnt values indicate that traffic is being denied and logged. In syslog messages, you will see messages like %ASA-4-106023: Deny icmp src outside:10.10.10.10 dst inside:192.168.1.100 (type 8, code 0) by access-group "OUTSIDE" [0x0, 0x0]. The log provides details on source/destination IP, protocol, and the ACL name. Healthy operation shows expected denies; unexpected denies may indicate misconfiguration or an attack.
Configuration Scenarios
Blocking External ICMP to Internal Network
You want to prevent external hosts from pinging internal hosts on the 192.168.1.0/24 subnet.
Topology
Internet --- ASA (outside: 203.0.113.1) --- (inside: 192.168.1.0/24)Steps
- 1.Create an ACL named OUTSIDE_IN.
- 2.Add a deny entry for ICMP from any source to the internal subnet.
- 3.Apply the ACL inbound on the outside interface.
! Create ACL access-list OUTSIDE_IN extended deny icmp any 192.168.1.0 255.255.255.0 log ! Apply to interface access-group OUTSIDE_IN in interface outside
Verify: Use 'show access-list OUTSIDE_IN' to see hit counts. Ping from an external host to 192.168.1.100 should fail, and hitcnt should increment.
Watch out: Ensure the ACL is applied to the correct interface and direction. If applied outbound on inside, it would not block inbound ICMP.
Troubleshooting with This Command
When troubleshooting connectivity issues on a Cisco ASA, the 'access-list' command with logging is invaluable. Start by checking the hit counts on the ACL entries using 'show access-list'. If a deny entry has a high hit count, it indicates that traffic is being blocked by that rule. Conversely, if a permit entry has a low hit count, the traffic may be matching a different rule or not reaching the firewall.
Syslog messages generated by the 'log' keyword provide detailed information about denied packets. For example, a message like '%ASA-4-106023: Deny tcp src outside:10.0.0.1/12345 dst inside:192.168.1.100/80 by access-group "OUTSIDE_IN"' indicates the source IP, destination IP, ports, and the ACL name. Use these logs to identify the source of malicious traffic or misconfigurations.
If expected traffic is being denied, verify the ACL order and ensure that a permit entry exists before the deny entry if needed. Also, check the interface ACL application with 'show access-group'. Remember that the ASA has an implicit deny at the end of every ACL, so any traffic not explicitly permitted will be denied. To allow traffic, you must add a permit entry. For troubleshooting, temporarily adding a permit entry with logging can help identify if traffic is reaching the firewall.
CCNA Exam Tips
Remember that the 'log' keyword is optional but often tested; it enables logging for that ACE.
Know that ACLs are processed top-down; order matters for deny vs permit.
For CCNP Security, understand how ACL logging interacts with syslog and how to interpret hit counts.
Common Mistakes
Forgetting to apply the ACL to an interface with the 'access-group' command, causing the ACL to have no effect.
Using 'any' incorrectly; 'any' matches all addresses, but specifying a subnet mask incorrectly can cause unintended matches.
Placing a deny entry after a permit entry that matches the same traffic, resulting in the deny never being evaluated.
Platform Notes
On Cisco ASA, ACLs are stateful; the firewall tracks connections and only checks the first packet of a flow against ACLs. Subsequent packets are allowed based on the state table. This differs from IOS routers where ACLs are stateless. The 'log' keyword on ASA generates syslog messages at severity level 4 (warning) by default. To change logging severity, use the 'logging message' command.
On other platforms like Cisco IOS, the equivalent command is 'access-list [number] deny [protocol] [src] [dst] log'. However, IOS uses numbered ACLs (e.g., 100-199 for extended) and does not have named extended ACLs by default (though named ACLs exist in IOS). The ASA also supports object-group-based ACLs for more complex configurations.
Version differences: In ASA 8.3 and later, the ACL syntax remains similar, but the firewall introduced changes in NAT and routing. The 'access-list' command itself has not changed significantly. Always verify the exact syntax for your ASA version using the documentation.
Practice for the CCNA 200-301
Test your knowledge with hundreds of CCNA practice questions covering all exam domains.
Practice CCNA Questions