Applying The Time Range To An Ace; Logging Access List Activity; Access List Logging Overview - Cisco PIX 500 Series Configuration Manual
Security appliance command line
Hide thumbs
Also See for PIX 500 Series:
- Administration manual (653 pages) ,
- Quick start manual (72 pages) ,
- User manual (60 pages)
Table of Contents
Advertisement
Chapter 16
Identifying Traffic with Access Lists
The following is an example of an absolute time range beginning at 8:00 a.m. on January 1, 2006.
Because no end time and date are specified, the time range is in effect indefinitely.
hostname(config)# time-range for2006
hostname(config-time-range)# absolute start 8:00 1 january 2006
The following is an example of a weekly periodic time range from 8:00 a.m. to 6:00 p.m on weekdays.:
hostname(config)# time-range workinghours
hostname(config-time-range)# periodic weekdays 8:00 to 18:00
Applying the Time Range to an ACE
To apply the time range to an ACE, use the following command:
hostname(config)# access-list access_list_name [extended] {deny | permit}... [time-range
name ]
See the
syntax.
If you also enable logging for the ACE, use the log keyword before the time-range keyword. If you
Note
disable the ACE using the inactive keyword, use the inactive keyword as the last keyword.
The following example binds an access list named "Sales" to a time range named "New_York_Minute."
hostname(config)# access-list Sales line 1 extended deny tcp host 209.165.200.225 host
209.165.201.1 time-range New_York_Minute
Logging Access List Activity
This section describes how to configure access list logging for extended access lists and Webtype access
lists.
This section includes the following topics:
•
•
•
Access List Logging Overview
By default, when traffic is denied by an extended ACE or a Webtype ACE, the security appliance
generates system message 106023 for each denied packet, in the following form:
%ASA|PIX-4-106023: Deny protocol src [ interface_name : source_address / source_port ] dst
interface_name : dest_address / dest_port [type { string }, code { code }] by access_group acl_id
OL-12172-03
"Adding an Extended Access List" section on page 16-5
Access List Logging Overview, page 16-19
Configuring Logging for an Access Control Entry, page 16-20
Managing Deny Flows, page 16-21
for complete access-list command
Cisco Security Appliance Command Line Configuration Guide
Logging Access List Activity
16-19
Advertisement
Table of Contents
Troubleshooting
