Add An Extended Ace For Icmp-Based Matching; Add An Extended Ace For User-Based Matching (Identity Firewall) - Cisco ASA Series Configuration Manual
Firewall cli, asa services module, and the adaptive security virtual appliance
Hide thumbs
Also See for ASA Series:
- Cli configuration manual (2164 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
Configure ACLs
•
For an explanation of the other keywords, see
Domain Name-Based Matching, page
Add an Extended ACE for ICMP-Based Matching
The ICMP extended ACE is just the basic address-matching ACE where the protocol is icmp or icmp6.
Because these protocols have type and code values, you can add type and code specifications to the ACE.
For example, you can target ICMP Echo Request traffic (pings).
To add an ACE for IP address or FQDN matching, where the protocol is ICMP or ICMP6, use the
following command:
access-list access_list_name [line line_number] extended {deny | permit}
{icmp | icmp6} source_address_argument dest_address_argument [icmp_argument]
[log [[level] [interval secs] | disable | default]]
[time-range time_range_name]
[inactive]
Example:
hostname(config)# access-list abc extended permit icmp any any object-group obj_icmp_1
hostname(config)# access-list abc extended permit icmp any any echo
The icmp_argument option specifies the ICMP type and code.
•
•
For an explanation of the other keywords, see
Domain Name-Based Matching, page
Add an Extended ACE for User-Based Matching (Identity Firewall)
The user-based extended ACE is just the basic address-matching ACE where you include username or
user group to the source matching criteria. By creating rules based on user identity, you can avoid tying
rules to static host or network addresses. For example, if you define a rule for user1, and the identity
firewall feature maps that user to a host assigned 10.100.10.3 one day, but 192.168.1.5 the next day, the
user-based rule still applies.
Because you must still supply source and destination addresses, broaden the source address to include
the likely addresses that will be assigned to the user (normally through DHCP). For example, user
"LOCAL\user1 any" will match the LOCAL\user1 user no matter what address is assigned, whereas
"LOCAL\user1 10.100.1.0 255.255.255.0" matches the user only if the address is on the 10.100.1.0/24
network.
By using group names, you can define rules based on entire classes of users, such as students, teachers,
managers, engineers, and so forth.
To add an ACE for user or group matching, use the following command:
access-list access_list_name [line line_number] extended {deny | permit} protocol_argument
[user_argument] source_address_argument [port_argument]
dest_address_argument [port_argument]
Cisco ASA Series Firewall CLI Configuration Guide
3-10
object-group service_grp_id—Specifies a service object group created using the object-group
service command.
icmp_type [icmp_code]—Specifies the ICMP type by name or number, and the optional ICMP code
for that type. If you do not specify the code, then all codes are used.
object-group icmp_grp_id—Specifies an object group for ICMP/ICMP6 created using the
object-group service or (deprecated) object-group icmp command.
Add an Extended ACE for IP Address or Fully-Qualified
3-7.
Add an Extended ACE for IP Address or Fully-Qualified
3-7.
Chapter 3
Access Control Lists
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
