Cisco ASA Series Cli Configuration Manual page 559

Adding an Extended Access Control List
This chapter describes how to configure extended access control lists (ACLs), and it includes the
following sections:
•
•
•
•
•
•
•
•
•
Information About Extended ACLs
ACLs are used to control network access or to specify traffic for many features to act upon. An extended
ACL is made up of one or more access control entries (ACEs). Each ACE specifies a source and
destination for matching traffic. You can identify parameters within the access-list command, or you can
create objects or object groups for use in the ACL.
•
•
Access Control Entry Order
An ACL is made up of one or more ACEs. Each ACE that you enter for a given ACL name is appended
to the end of the ACL.
The order of ACEs is important. When the security appliance decides whether to forward or drop a
packet, the security appliance tests the packet against each ACE in the order in which the entries are
listed. After a match is found, no more ACEs are checked. For example, if you create an ACE at the
beginning of an ACL that explicitly permits all traffic, no further statements are ever checked.
You can disable an ACE by making it inactive.
Information About Extended ACLs, page 1-1
Licensing Requirements for Extended ACLs, page 1-3
Guidelines and Limitations, page 1-3
Default Settings, page 1-4
Configuring Extended ACLs, page 1-4
Monitoring Extended ACLs, page 1-10
Configuration Examples for Extended ACLs, page 1-10
Where to Go Next, page 1-12
Feature History for Extended ACLs, page 1-12
Access Control Entry Order, page 1-1
NAT and ACLs, page 1-2
1
C H A P T E R
Cisco ASA Series CLI Configuration Guide
1-1