1-6
Cisco ASA Series CLI Configuration Guide
Chapter 1 Adding an Extended Access Control List
Configuring Extended ACLs
Adding an ACE for TCP or UDP-Based Policy, with Ports
This section lets you control traffic based on IP addresses or fully qualified domain names (FQDNs)
along with TCP or UDP ports. An ACL is made up of one or more access control entries (ACEs) with
the same ACL ID. To create an ACL you start by creating an ACE and applying a list name. An ACL
with one entry is still considered a list, although you can add multiple entries to the list.
Prerequisites
• (Optional) Create network objects or object groups according to the “Configuring Network Objects
and Groups” section on page 1-2. Objects can contain an IP address (host, subnet, or range) or an
FQDN. Object groups contain multiple objects or inline entries.
• (Optional) Create service objects or groups according to the “Configuring Service Objects and
Service Groups” section on page 1-5.
Guidelines
To delete an ACE, enter the no access-list command with the entire command syntax string as it appears
in the configuration. To remove the entire ACL, use the clear configure access-list command.
Detailed Steps
Command Purpose
access-list access_list_name [line
line_number] extended {deny | permit}
{tcp | udp} source_address_argument
[port_argument] dest_address_argument
[port_argument] [log [[level]
[interval secs] | disable | default]]
[inactive | time-range time_range_name]
Example:
hostname(config)# access-list ACL_IN
extended deny tcp any host 209.165.201.29
eq www
Adds an ACE for IP address or FQDN policy, as well as optional TCP or
UDP ports. For common keywords and arguments, see the “Adding an ACE
for IP Address or Fully Qualified Domain Name-Based Policy” section on
page 1-4. Keywords and arguments specific to this type of ACE include the
following:
port_argument specifies the source and/or destination port. Available
arguments include:
• operator port—The operator can be one of the following:
–
lt—less than
–
gt—greater than
–
eq—equal to
–
neq—not equal to
–
range—an inclusive range of values. When you use this operator,
specify two port numbers, for example:
range 100 200
The port can be the integer or name of a TCP or UDP port. DNS,
Discard, Echo, Ident, NTP, RPC, SUNRPC, and Talk each require one
definition for TCP and one for UDP. TACACS+ requires one definition
for port 49 on TCP.
• object-group service_grp_id—Specifies a service object group
created using the object-group service command.
To Next Page
Loading...
Need help?
General
