Adding An Extended Access List - Cisco FirePOWER ASA 5500 series Configuration Manual

Chapter 16 Identifying Traffic with Access Lists
If you perform NAT on both interfaces, keep in mind the addresses that are visible to a given interface.
In Figure
network.
Figure 16-3
See the following commands for this example:
hostname(config)# access-list INSIDE extended permit ip 10.1.1.0 255.255.255.0 host
10.1.1.56
hostname(config)# access-group INSIDE in interface inside

Adding an Extended Access List

This section describes how to add an extended access list, and includes the following sections:
•
•
Extended Access List Overview
An extended access list is made up of one or more ACEs, in which you can specify the line number to
insert the ACE, source and destination addresses, and, depending on the ACE type, the protocol, the
ports (for TCP or UDP), or the ICMP type (for ICMP). You can identify all of these parameters within
the access-list command, or you can use object groups for each parameter. This section describes how
to identify the parameters within the command. To use object groups, see the
with Object Grouping" section on page
For information about logging options that you can add to the end of the ACE, see the
List Activity" section on page
Extended Access List Activation" section on page
OL-10088-01
16-3, an outside server uses static NAT so that a translated address appears on the inside
IP Addresses in Access Lists: NAT used for Source and Destination Addresses
Static NAT
209.165.200.225
10.1.1.56
Outside
Inside
ACL
Permit from 10.1.1.0/24 to
10.1.1.0/24
10.1.1.0/24 209.165.201.4:port
PAT
Extended Access List Overview, page 16-5
Adding an Extended ACE, page 16-6
10.1.1.56
16-10.
16-18. For information about time range options, see
16-17.
Cisco Security Appliance Command Line Configuration Guide
Adding an Extended Access List
"Simplifying Access Lists
"Logging Access
"Scheduling
16-5