Add An Extended Ace For Tcp Or Udp-Based Matching, With Ports - Cisco ASA Series Configuration Manual
Firewall cli, asa services module, and the adaptive security virtual appliance
Hide thumbs
Also See for ASA Series:
- Cli configuration manual (2164 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
Chapter 3
Access Control Lists
•
•
Add an Extended ACE for TCP or UDP-Based Matching, with Ports
The TCP/UDP extended ACE is just the basic address-matching ACE where the protocol is tcp or udp.
Because these protocols use ports, you can add port specifications to the ACE. For example, you can
target HTTP traffic on TCP port 80.
To add an ACE for IP address or FQDN matching, where the protocol is TCP or UDP, use the following
command:
access-list access_list_name [line line_number] extended {deny | permit}
{tcp | udp} source_address_argument [port_argument] dest_address_argument [port_argument]
[log [[level] [interval secs] | disable | default]]
[time-range time_range_name]
[inactive]
Example:
hostname(config)# access-list ACL_IN extended deny tcp any host 209.165.201.29 eq www
The port_argument option specifies the source or destination port. If you do not specify ports, all ports
are matched. Available arguments include:
•
•
level—A severity level between 0 and 7. The default is 6 (informational). If you change this
–
level for an active ACE, the new level applies to new connections; existing connections continue
to be logged at the previous level.
interval secs—The time interval in seconds between syslog messages, from 1 to 600. The
–
default is 300. This value is also used as the timeout value for deleting an inactive flow from the
cache used to collect drop statistics.
disable—Disables all ACE logging.
–
default—Enables logging to message 106023 for denied packets. This setting is the same as not
–
including the log option.
Time Range—The time-range time_range_name option specifies a time range object, which
determines the times of day and days of the week in which the ACE is active. If you do not include
a time range, the ACE is always active.
Activation—Use the inactive option to disable the ACE without deleting it. To reenable it, enter the
entire ACE without the inactive keyword.
operator port—The operator can be one of the following:
lt—less than
–
–
gt—greater than
–
eq—equal to
–
neq—not equal to
range—an inclusive range of values. When you use this operator, specify two port numbers, for
–
example:
range 100 200
The port can be the integer or name of a TCP or UDP port. DNS, Discard, Echo, Ident, NTP, RPC,
SUNRPC, and Talk each require one definition for TCP and one for UDP. TACACS+ requires one
definition for port 49 on TCP.
object service_obj_id—Specifies a service object created using the object service command. See
Configure Service Objects and Service Groups, page
2-4.
Cisco ASA Series Firewall CLI Configuration Guide
Configure ACLs
3-9
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
