Cisco ASA Series Cli Configuration Manual page 567

Chapter 1 Adding an Extended Access Control List
Detailed Steps
Command
access-list access_list_name [line
line_number] extended {deny | permit}
protocol_argument
[security_group_argument]
source_address_argument [port_argument]
[security_group_argument]
dest_address_argument [port_argument]
[log [[level] [interval secs] | disable |
default]] [inactive | time-range
time_range_name]
Example:
hostname(config)# access-list v1 extended
permit ip user LOCAL\idfw any 10.0.0.0
255.255.255.0
Adding Remarks to ACLs
You can include remarks about entries in any ACL. The remarks make the ACL easier to understand.
To add a remark after the last access-list command you entered, enter the following command.
Detailed Steps
Command
access-list access_list_name remark text
Example:
hostname(config)# access-list OUT remark -
this is the inside admin address
Examples
You can add remarks before each ACE, and the remark appears in the ACL in this location. Entering a
dash (-) at the beginning of the remark helps set it apart from the ACEs.
hostname(config)# access-list OUT remark - this is the inside admin address
hostname(config)# access-list OUT extended permit ip host 209.168.200.3 any
hostname(config)# access-list OUT remark - this is the hr admin address
hostname(config)# access-list OUT extended permit ip host 209.168.200.4 any
Purpose
Adds an ACE for IP address or FQDN policy, as well as optional security
groups. For common keywords and arguments, see the
IP Address or Fully Qualified Domain Name-Based Policy" section on
page 1-4. Keywords and arguments specific to this type of ACE include the
following:
security_group_argument is for use with the TrustSec feature, and
specifies the security group for which to match traffic in addition to the
source or destination address. Available arguments include the following:
•
object-group-security security_obj_grp_id—Specifies a security
object group created using the object-group security command.
•
security-group {name security_grp_id | tag
security_grp_tag}—Specifies a security group name or tag.
Note
Although not shown in the syntax at left, you can also use Identity
Firewall user arguments.
Purpose
Adds a remark after the last access-list command you entered.
The text can be up to 100 characters in length. You can enter leading spaces
at the beginning of the text. Trailing spaces are ignored.
If you enter the remark before any access-list command, then the remark
is the first line in the ACL.
If you delete an ACL using the no access-list access_list_name command,
then all the remarks are also removed.
Cisco ASA Series CLI Configuration Guide
Configuring Extended ACLs
"Adding an ACE for
1-9