3-12
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 3 Access Control Lists
Configure ACLs
• security-group {name security_grp_id | tag security_grp_tag}—Specifies a security group name
or tag.
For an explanation of the other keywords, see Add an Extended ACE for IP Address or Fully-Qualified
Domain Name-Based Matching, page 3-7.
Tip You can include both user and Cisco Trustsec security groups in a given ACE. See Add an Extended ACE
for User-Based Matching (Identity Firewall), page 3-10.
Examples for Extended ACLs
The following ACL allows all hosts (on the interface to which you apply the ACL) to go through the
ASA:
hostname(config)# access-list ACL_IN extended permit ip any any
The following ACL prevents hosts on 192.168.1.0/24 from accessing the 209.165.201.0/27 network for
TCP-based traffic. All other addresses are permitted.
hostname(config)# access-list ACL_IN extended deny tcp 192.168.1.0 255.255.255.0
209.165.201.0 255.255.255.224
hostname(config)# access-list ACL_IN extended permit ip any any
If you want to restrict access to selected hosts only, then enter a limited permit ACE. By default, all other
traffic is denied unless explicitly permitted.
hostname(config)# access-list ACL_IN extended permit ip 192.168.1.0 255.255.255.0
209.165.201.0 255.255.255.224
The following ACL restricts all hosts (on the interface to which you apply the ACL) from accessing a
website at address 209.165.201.29. All other traffic is allowed.
hostname(config)# access-list ACL_IN extended deny tcp any host 209.165.201.29 eq www
hostname(config)# access-list ACL_IN extended permit ip any any
The following ACL that uses object groups restricts several hosts on the inside network from accessing
several web servers. All other traffic is allowed.
hostname(config-network)# access-list ACL_IN extended deny tcp object-group denied
object-group web eq www
hostname(config)# access-list ACL_IN extended permit ip any any
hostname(config)# access-group ACL_IN in interface inside
The following example temporarily disables an ACL that permits traffic from one group of network
objects (A) to another group of network objects (B):
hostname(config)# access-list 104 permit ip host object-group A object-group B inactive
To implement a time-based ACE, use the time-range command to define specific times of the day and
week. Then use the access-list extended command to bind the time range to an ACE. The following
example binds an ACE in the “Sales” ACL to a time range named “New_York_Minute.”
hostname(config)# access-list Sales line 1 extended deny tcp host 209.165.200.225 host
209.165.201.1 time-range New_York_Minute
The following example shows a mixed IPv4/IPv6 ACL:
hostname(config)# access-list demoacl extended permit ip 2001:DB8:1::/64 10.2.2.0
255.255.255.0
hostname(config)# access-list demoacl extended permit ip 2001:DB8:1::/64 2001:DB8:2::/64
hostname(config)# access-list demoacl extended permit ip host 10.3.3.3 host 10.4.4.4
To Next Page
Loading...
Need help?
General
