Cisco ASA Series Configuration Manual page 32
Firewall cli, asa services module, and the adaptive security virtual appliance
Hide thumbs
Also See for ASA Series:
- Cli configuration manual (2164 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
Configure ACLs
To add an ACE for IP address or FQDN matching, use the following command:
access-list access_list_name [line line_number] extended {deny | permit}
protocol_argument source_address_argument dest_address_argument
[log [[level] [interval secs] | disable | default]]
[time-range time_range_name]
[inactive]
Example:
hostname(config)# access-list ACL_IN extended permit ip any any
The options are:
access_list_name—The name of the new or existing ACL.
•
Line number—The line line_number option specifies the line number at which insert the ACE;
•
otherwise, the ACE is added to the end of the ACL.
Permit or Deny—The deny keyword denies or exempts a packet if the conditions are matched. The
•
permit keyword permits or includes a packet if the conditions are matched.
Protocol—The protocol_argument specifies the IP protocol:
•
–
–
–
–
Source Address, Destination Address—The source_address_argument specifies the IP address or
•
FQDN from which the packet is being sent, and the dest_address_argument specifies the IP address
or FQDN to which the packet is being sent:
–
–
–
–
–
–
–
•
Logging—log arguments set logging options when an ACE matches a packet for network access (an
ACL applied with the access-group command). If you enter the log option without any arguments,
you enable syslog message 106100 at the default level (6) and for the default interval (300 seconds).
Log options are:
Cisco ASA Series Firewall CLI Configuration Guide
3-8
name or number—Specifies the protocol name or number. Specify ip to apply to all protocols.
object-group protocol_grp_id—Specifies a protocol object group created using the
object-group protocol command. See
page
2-4.
object service_obj_id—Specifies a service object created using the object service command.
A TCP, UDP, or ICMP service object can include a protocol and a source or destination port or
ICMP type and code.
object-group service_grp_id—Specifies a service object group created using the object-group
service command.
host ip_address—Specifies an IPv4 host address.
ip_address mask—Specifies an IPv4 network address and subnet mask, such as 10.100.10.0
255.255.255.0.
ipv6-address/prefix-length—Specifies an IPv6 host or network address and prefix.
any, any4, and any6—any specifies both IPv4 and IPv6 traffic; any4 specifies IPv4 traffic only;
and any6 specifies IPv6 traffic only.
interface interface_name—Specifies the name of an ASA interface. Use the interface name
rather than IP address to match traffic based on which interface is the source or destination of
the traffic.
object nw_obj_id—Specifies a network object created using the object network command. See
Configure Network Objects and Groups, page
object-group nw_grp_id—Specifies a network object group created using the object-group
network command.
Configure Service Objects and Service Groups,
2-2.
Chapter 3
Access Control Lists
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
