Cisco ASA Series Cli Configuration Manual page 561

Chapter 1 Adding an Extended Access Control List
Licensing Requirements for Extended ACLs
Model License Requirement
All models Base License.
Guidelines and Limitations
Context Mode Guidelines
Supported in single and multiple context mode.
Firewall Mode Guidelines
Supported in routed and transparent firewall modes.
IPv6 Guidelines
Supports IPv6.
Features That Do Not Support IDFW, FQDN, and TrustSec ACLs
The following features use ACLs, but cannot accept an ACL with IDFW, FQDN, or TrustSec values:
•
•
•
•
•
Additional Guidelines and Limitations
•
•
•
•
route-map command
VPN crypto map command
VPN group-policy command, except for vpn-filter
WCCP
DAP
Tip: Enter the ACL name in uppercase letters so that the name is easy to see in the configuration.
You might want to name the ACL for the interface (for example, INSIDE), or you can name it for
the purpose for which it is created (for example, NO_NAT or VPN).
Typically, you identify the ip keyword for the protocol, but other protocols are accepted. For a list
of protocol names, see the
You can specify the source and destination ports only for the TCP or UDP protocols. For a list of
permitted keywords and well-known port assignments, see the
page 1-11. DNS, Discard, Echo, Ident, NTP, RPC, SUNRPC, and Talk each require one definition
for TCP and one for UDP. TACACS+ requires one definition for port 49 on TCP.
When you specify a network mask, the method is different from the Cisco IOS software access-list
command. The ASA uses a network mask (for example, 255.255.255.0 for a Class C mask). The
Cisco IOS mask uses wildcard bits (for example, 0.0.0.255).
"Protocols and Applications" section on page
Cisco ASA Series CLI Configuration Guide
Licensing Requirements for Extended ACLs
1-11.
"TCP and UDP Ports" section on
1-3