Configure Acls; Basic Acl Configuration And Management Options - Cisco ASA Series Configuration Manual
Firewall cli, asa services module, and the adaptive security virtual appliance
Hide thumbs
Also See for ASA Series:
- Cli configuration manual (2164 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
Configure ACLs
Configure ACLs
The following sections explain how to configure the various types of ACL, Read the section on ACL
basics to get the big picture, then the sections on specific types of ACL for the details.
•
•
•
•
•
Basic ACL Configuration and Management Options
An ACL is made up of one or more access control entries (ACEs) with the same ACL ID or name. To
create a new ACL, you simply create an ACE with a new ACL name, and it becomes the first rule in the
new ACL.
Working with an ACL, you can do the following things:
•
•
•
Cisco ASA Series Firewall CLI Configuration Guide
3-6
Basic ACL Configuration and Management Options, page 3-6
Configure Extended ACLs, page 3-7
Configure Standard ACLs, page 3-13
Configure Webtype ACLs, page 3-14
Configure EtherType ACLs, page 3-17
Examine the ACL contents and determine line numbers and hit counts—Use the show
access-list name command to view the contents of the ACL. Each row is an ACE, and includes the
line number, which you will need to know if you want to insert new entries into an extended ACL.
The information also includes a hit count for each ACE, which is how many times the rule was
matched by traffic. For example:
hostname# show access-list outside_access_in
access-list outside_access_in; 3 elements; name hash: 0x6892a938
access-list outside_access_in line 1 extended permit ip 10.2.2.0 255.255.255.0 any
(hitcnt=0) 0xcc48b55c
access-list outside_access_in line 2 extended permit ip host
2001:DB8::0DB8:800:200C:417A any (hitcnt=0) 0x79797f94
access-list outside_access_in line 3 extended permit ip user-group LOCAL\\usergroup
any any (hitcnt=0) 0xb0f5b1e1
Add an ACE—The command for adding an ACE is access-list name [line line-num] type
parameters. The line number argument works for extended ACLs only. If you include the line
number, the ACE is inserted at that location in the ACL, and the ACE that was at that location is
moved down, along with the remainder of the ACEs (that is, inserting an ACE at a line number does
not replace the old ACE at that line). If you do not include a line number, the ACE is added to the
end of the ACL. The parameters available differ based on the ACL type; see the specific topics on
each ACL type for details.
Add comments to an ACL (all types except webtype)—Use the access-list name [line line-num]
remark text command to add remarks into an ACL to help explain the purpose of an ACE. Best
practice is to insert the remark before the ACE; if you view the configuration in ASDM, remarks
will be associated with the ACE that follows the remarks. You can enter multiple remarks before an
ACE to include an expanded comment. Each remark is limited to 100 characters. You can include
leading spaces to help set off the remarks. If you do not include a line number, the remark is added
to the end of the ACL. For example, you could add remarks before adding each ACE:
hostname(config)# access-list OUT remark - this is the inside admin address
hostname(config)# access-list OUT extended permit ip host 209.168.200.3 any
hostname(config)# access-list OUT remark - this is the hr admin address
hostname(config)# access-list OUT extended permit ip host 209.168.200.4 any
Chapter 3
Access Control Lists
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
