Cisco ASA Series Cli Configuration Manual page 560
Software version 9.0 for the services module
Hide thumbs
Also See for ASA Series:
- Configuration manual (429 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
Information About Extended ACLs
NAT and ACLs
When using NAT or PAT, mapped addresses and ports are no longer required in an ACL for several
features. You should now always use the real, untranslated addresses and ports for these features. Using
the real address and port means that if the NAT configuration changes, you do not need to change the
ACLs.
Note
For ACL migration information, see the Cisco ASA 5500 Migration to Version 8.3 and Later.
Features That Use Real IP Addresses
The following commands and features use real IP addresses in the ACLs:
•
•
•
•
•
For example, if you configure NAT for an inside server, 10.1.1.5, so that it has a publicly routable IP
address on the outside, 209.165.201.5, then the access rule to allow the outside traffic to access the inside
server needs to reference the server's real IP address (10.1.1.5), and not the mapped address
(209.165.201.5):
hostname(config)# object network server1
hostname(config-network-object)# host 10.1.1.5
hostname(config-network-object)# nat (inside,outside) static 209.165.201.5
hostname(config)# access-list OUTSIDE extended permit tcp any host 10.1.1.5 eq www
hostname(config)# access-group OUTSIDE in interface outside
Features That Use Mapped IP Addresses
The following features use ACLs, but these ACLs will continue to use the mapped values as seen on an
interface:
•
•
•
•
•
Information About Scheduling Access List Activation
You can schedule each ACE in an access list to be activated at specific times of the day and week by
applying a time range to the ACE.
Users could experience a delay of approximately 80 to 100 seconds after the specified end time for the
ACL to become inactive. For example, if the specified end time is 3:50, because the end time is inclusive,
the command is picked up anywhere between 3:51:00 and 3:51:59. After the command is picked up, the
ASA finishes any currently running task and then services the command to deactivate the ACL.
Cisco ASA Series CLI Configuration Guide
1-2
access-group command
Modular Policy Framework match access-list command
Botnet Traffic Filter dynamic-filter enable classify-list command
AAA aaa ... match commands
WCCP wccp redirect-list group-list command
IPsec ACLs
capture command ACLs
Per-user ACLs
Routing protocol ACLs
All other feature ACLs...
Chapter 1
Adding an Extended Access Control List
Hide quick links:
Advertisement
Chapters
Table of Contents
Troubleshooting
