Add An Extended Ace For Security Group-Based Matching (Cisco Trustsec) - Cisco ASA Series Configuration Manual

Chapter 3 Access Control Lists
[log [[level] [interval secs] | disable | default]]
[time-range time_range_name]
[inactive]
Example:
hostname(config)# access-list v1 extended permit ip user LOCAL\idfw
any 10.0.0.0 255.255.255.0
The user_argument option specifies the user or group for which to match traffic in addition to the source
address. Available arguments include the following:
•
•
•
For an explanation of the other keywords, see
Domain Name-Based Matching, page
Tip You can include both user and Cisco Trustsec security groups in a given ACE. See
for Security Group-Based Matching (Cisco TrustSec), page

Add an Extended ACE for Security Group-Based Matching (Cisco TrustSec)

The security group (Cisco TrustSec) extended ACE is just the basic address-matching ACE where you
include security groups or tags to the source or destination matching criteria. By creating rules based on
security groups, you can avoid tying rules to static host or network addresses. Because you must still
supply source and destination addresses, broaden the addresses to include the likely addresses that will
be assigned to users (normally through DHCP).
Before adding this type of ACE, configure Cisco TrustSec as described in
Tip
TrustSec."
To add an ACE for security group matching, use the following command:
access-list access_list_name [line line_number] extended {deny | permit} protocol_argument
[security_group_argument] source_address_argument [port_argument]
[security_group_argument] dest_address_argument [port_argument] [log [[level]
[interval secs] | disable | default]] [inactive | time-range time_range_name]
Example:
hostname(config)# access-list INSIDE_IN extended permit ip
security-group name my-group any any
The security_group_argument option specifies the security group for which to match traffic in addition
to the source or destination address. Available arguments include the following:
•
object-group-user user_obj_grp_id—Specifies a user object group created using the object-group
user command.
user {[domain_nickname\]name | any | none}—Specifies a username. Specify any to match all
users with user credentials, or none to match addresses that are not mapped to usernames. These
options are especially useful for combining access-group and aaa authentication match policies.
user-group [domain_nickname\\]user_group_name—Specifies a user group name. Note the double
\\ separating the domain and group name.
object-group-security security_obj_grp_id—Specifies a security object group created using the
object-group security command.
Add an Extended ACE for IP Address or Fully-Qualified
3-7.
3-11.
Cisco ASA Series Firewall CLI Configuration Guide
Configure ACLs
Add an Extended ACE
Chapter 6, "ASA and Cisco
3-11