3-10
Cisco ASA Series Firewall CLI Configuration Guide
 
Chapter 3      Access Control Lists
  Configure ACLs
• object-group service_grp_id—Specifies a service object group created using the object-group 
service command.
For an explanation of the other keywords, see Add an Extended ACE for IP Address or Fully-Qualified 
Domain Name-Based Matching, page 3-7. 
Add an Extended ACE for ICMP-Based Matching
The ICMP extended ACE is just the basic address-matching ACE where the protocol is icmp or icmp6. 
Because these protocols have type and code values, you can add type and code specifications to the ACE. 
For example, you can target ICMP Echo Request traffic (pings).
To add an ACE for IP address or FQDN matching, where the protocol is ICMP or ICMP6, use the 
following command:
access-list access_list_name [line line_number] extended {deny | permit} 
{icmp | icmp6} source_address_argument dest_address_argument [icmp_argument] 
[log [[level] [interval secs] | disable | default]] 
[time-range time_range_name] 
[inactive]
Example:
hostname(config)# access-list abc extended permit icmp any any object-group obj_icmp_1 
hostname(config)# access-list abc extended permit icmp any any echo 
The icmp_argument option specifies the ICMP type and code.
• icmp_type [icmp_code]—Specifies the ICMP type by name or number, and the optional ICMP code 
for that type. If you do not specify the code, then all codes are used.
• object-group icmp_grp_id—Specifies an object group for ICMP/ICMP6 created using the 
object-group service or (deprecated) object-group icmp command.
For an explanation of the other keywords, see Add an Extended ACE for IP Address or Fully-Qualified 
Domain Name-Based Matching, page 3-7. 
Add an Extended ACE for User-Based Matching (Identity Firewall)
The user-based extended ACE is just the basic address-matching ACE where you include username or 
user group to the source matching criteria. By creating rules based on user identity, you can avoid tying 
rules to static host or network addresses. For example, if you define a rule for user1, and the identity 
firewall feature maps that user to a host assigned 10.100.10.3 one day, but 192.168.1.5 the next day, the 
user-based rule still applies. 
Because you must still supply source and destination addresses, broaden the source address to include 
the likely addresses that will be assigned to the user (normally through DHCP). For example, user 
“LOCAL\user1 any” will match the LOCAL\user1 user no matter what address is assigned, whereas 
“LOCAL\user1 10.100.1.0 255.255.255.0” matches the user only if the address is on the 10.100.1.0/24 
network.
By using group names, you can define rules based on entire classes of users, such as students, teachers, 
managers, engineers, and so forth.
To add an ACE for user or group matching, use the following command: 
access-list access_list_name [line line_number] extended {deny | permit} protocol_argument 
[user_argument] source_address_argument [port_argument] 
dest_address_argument [port_argument]