Configure Extended Acls; Add An Extended Ace For Ip Address Or Fully-Qualified Domain Name-Based Matching - Cisco ASA Series Configuration Manual

Chapter 3 Access Control Lists
•
•
•
•
•

Configure Extended ACLs

An extended ACL is composed of all ACEs with the same ACL ID or name. Extended ACLs are the most
complex and feature-rich type of ACL, and you can use them for many features. The most noteworthy
use of extended ACLs is as access groups applied globally or to interfaces, which determine the traffic
that will be denied or permitted to flow through the box. But extended ACLs are also used to determine
the traffic to which other services will be provided.
Because extended ACLs are complex, the following sections focus on creating ACEs to provide specific
types of traffic matching. The first sections, on basic address-based ACEs and on TCP/UDP ACEs, build
the foundation for the remaining sections.
•
•
•
•
•
•
•

Add an Extended ACE for IP Address or Fully-Qualified Domain Name-Based Matching

The basic extended ACE matches traffic based on source and destination addresses, including IPv4 and
IPv6 addresses and fully-qualified domain names (FQDN), such as www.example.com. In fact, every
type of extended ACE must include some specification for source and destination address, so this topic
explains the minimum extended ACE.
If you want to match traffic based on FQDN, you must create a network object for each FQDN.
Tip
Edit or move an ACE or remark—You cannot edit or move an ACE or remark. Instead, you must
create a new ACE or remark with the desired values at the right location (using the line number),
then delete the old ACE or remark. Because you can insert ACEs in extended ACLs only, you need
to rebuild standard, webtype, or EtherType ACLs if you need to edit or move ACEs. It is far easier
to reorganize a long ACL using ASDM.
Delete an ACE or remark—Use the no access-list parameters command to remove an ACE or
remark. Use the show access-list command to view the parameter string that you must enter: the
string must exactly match an ACE or remark to delete it, with the exception of the line line-num
argument, which is optional on the no access-list command.
Delete an entire ACL, including remarks—Use the clear configure access-list name command.
USE CAUTION! The command does not ask you for confirmation. If you do not include a name,
every access list on the ASA is removed.
Rename an ACL—Use the access-list name rename new_name command.
Apply the ACL to a policy—Creating an ACL in and of itself does nothing to traffic. You must
apply the ACL to a policy. For example, you can use the access-group command to apply an
extended ACL to an interface, thus denying or permitting traffic that goes through the interface. For
information on some of the uses of ACLs, see
Add an Extended ACE for IP Address or Fully-Qualified Domain Name-Based Matching, page 3-7
Add an Extended ACE for TCP or UDP-Based Matching, with Ports, page 3-9
Add an Extended ACE for ICMP-Based Matching, page 3-10
Add an Extended ACE for User-Based Matching (Identity Firewall), page 3-10
Add an Extended ACE for Security Group-Based Matching (Cisco TrustSec), page 3-11
Examples for Extended ACLs, page 3-12
Example of Converting Addresses to Objects for Extended ACLs, page 3-13
ACL Types, page 3-1.
Cisco ASA Series Firewall CLI Configuration Guide
Configure ACLs
3-7