3-11
Cisco ASA Series Firewall CLI Configuration Guide
 
Chapter 3      Access Control Lists
  Configure ACLs
[log [[level] [interval secs] | disable | default]] 
[time-range time_range_name] 
[inactive]
Example: 
hostname(config)# access-list v1 extended permit ip user LOCAL\idfw 
any 10.0.0.0 255.255.255.0 
The user_argument option specifies the user or group for which to match traffic in addition to the source 
address. Available arguments include the following:
• object-group-user user_obj_grp_id—Specifies a user object group created using the object-group 
user command.
• user {[domain_nickname\]name | any | none}—Specifies a username. Specify any to match all 
users with user credentials, or none to match addresses that are not mapped to usernames. These 
options are especially useful for combining access-group and aaa authentication match policies.
• user-group [domain_nickname\\]user_group_name—Specifies a user group name. Note the double 
\\ separating the domain and group name.
For an explanation of the other keywords, see Add an Extended ACE for IP Address or Fully-Qualified 
Domain Name-Based Matching, page 3-7. 
Tip You can include both user and Cisco Trustsec security groups in a given ACE. See Add an Extended ACE 
for Security Group-Based Matching (Cisco TrustSec), page 3-11.
Add an Extended ACE for Security Group-Based Matching (Cisco TrustSec)
The security group (Cisco TrustSec) extended ACE is just the basic address-matching ACE where you 
include security groups or tags to the source or destination matching criteria. By creating rules based on 
security groups, you can avoid tying rules to static host or network addresses. Because you must still 
supply source and destination addresses, broaden the addresses to include the likely addresses that will 
be assigned to users (normally through DHCP). 
Tip Before adding this type of ACE, configure Cisco TrustSec as described in Chapter 6, “ASA and Cisco 
TrustSec.”
To add an ACE for security group matching, use the following command:
access-list access_list_name [line line_number] extended {deny | permit} protocol_argument 
[security_group_argument] source_address_argument [port_argument] 
[security_group_argument] dest_address_argument [port_argument] [log [[level] 
[interval secs] | disable | default]] [inactive | time-range time_range_name]
Example: 
hostname(config)# access-list INSIDE_IN extended permit ip 
security-group name my-group any any 
The security_group_argument option specifies the security group for which to match traffic in addition 
to the source or destination address. Available arguments include the following:
• object-group-security security_obj_grp_id—Specifies a security object group created using the 
object-group security command.