1-5
Cisco ASA Series CLI Configuration Guide
Chapter 1 Adding an Extended Access Control List
Configuring Extended ACLs
Detailed Steps
Command Purpose
access-list access_list_name
[line line_number] extended
{deny | permit} protocol_argument
source_address_argument
dest_address_argument [log [[level]
[interval secs] | disable | default]]
[inactive | time-range time_range_name]
Example:
hostname(config)# access-list ACL_IN
extended permit ip any any
Adds an ACE for IP address or FQDN policy.
• Line number—The line line_number option specifies the line number
at which insert the ACE; otherwise, the ACE is added to the end of the
ACL.
• Permit or Deny—The deny keyword denies or exempts a packet if the
conditions are matched. The permit keyword permits a packet if the
conditions are matched.
• Protocol—The protocol_argument specifies the IP protocol:
–
name or number—Specifies the protocol name or number. Specify
ip to apply to all protocols.
–
object-group protocol_grp_id—Specifies a protocol object group
created using the object-group protocol command.
–
object service_obj_id—Specifies a service object created using
the object service command. A TCP, UDP, or ICMP service object
can include a protocol and a source and/or destination port or
ICMP type and code.
–
object-group service_grp_id—Specifies a service object group
created using the object-group service command.
• Source Address, Destination Address—The source_address_argument
specifies the IP address or FQDN from which the packet is being sent,
and the dest_address_argument specifies the IP address or FQDN to
which the packet is being sent:
–
host ip_address—Specifies an IPv4 host address.
–
dest_ip_address mask—Specifies an IPv4 network address and
subnet mask.
–
ipv6-address/prefix-length—Specifies an IPv6 host or network
address and prefix.
–
any, any4, and any6—any specifies both IPv4 and IPv6 traffic;
any4 specifies only IPv4 traffic; and any6 specifies any6 traffic.
–
object nw_obj_id—Specifies a network object created using the
object network command.
–
object-group nw_grp_id—Specifies a network object group
created using the object-group network command.
• Logging—log arguments set logging options when an ACE matches a
packet for network access (an ACL applied with the access-group
command).
• Activation—Inactivates or enables a time range that the ACE is active;
see the time-range command for information about defining a time
range.
To Next Page
Loading...
