Cisco ASA Series Cli Configuration Manual page 566

Configuring Extended ACLs
Detailed Steps
Command
access-list access_list_name [line
line_number] extended {deny | permit}
protocol_argument [user_argument]
source_address_argument [port_argument]
dest_address_argument [port_argument]
[log [[level] [interval secs] | disable |
default]] [inactive | time-range
time_range_name]
Example:
hostname(config)# access-list v1 extended
permit ip user LOCAL\idfw any 10.0.0.0
255.255.255.0
Adding an ACE for Security Group-Based Policy (TrustSec)
If you configure the Cisco TrustSec feature, you can control traffic based on security groups.
Prerequisites
See
Cisco ASA Series CLI Configuration Guide
1-8
Purpose
Adds an ACE for IP address or FQDN policy, as well as optional usernames
and/or groups. For common keywords and arguments, see the
ACE for IP Address or Fully Qualified Domain Name-Based Policy"
section on page
include the following:
user_argument is for use with the identity firewall feature, and specifies the
user or group for which to match traffic in addition to the source address.
Available arguments include the following:
•
•
•
Note
Chapter 1, "Configuring the ASA to Integrate with Cisco TrustSec,"
Chapter 1
1-4. Keywords and arguments specific to this type of ACE
object-group-user user_obj_grp_id—Specifies a user object group
created using the object-group user command.
user {[domain_nickname\]name | any | none}—Specifies a username.
Specify any to match all users with user credentials, or none to match
users without user credentials. These options are especially useful for
combining access-group and aaa authentication match policies.
user-group [domain_nickname\\]user_group_name—Specifies a user
group name.
Although not shown in the syntax at left, you can also use TrustSec
security group arguments.
Adding an Extended Access Control List
"Adding an
to enable TrustSec.