Cisco ASA Series Cli Configuration Manual page 563
Software version 9.0 for the services module
Hide thumbs
Also See for ASA Series:
- Configuration manual (429 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
Chapter 1
Adding an Extended Access Control List
Detailed Steps
Command
access-list access_list_name
[line line_number] extended
{deny | permit} protocol_argument
source_address_argument
dest_address_argument [log [[level]
[interval secs] | disable | default]]
[inactive | time-range time_range_name]
Example:
hostname(config)# access-list ACL_IN
extended permit ip any any
Purpose
Adds an ACE for IP address or FQDN policy.
•
Line number—The line line_number option specifies the line number
at which insert the ACE; otherwise, the ACE is added to the end of the
ACL.
•
Permit or Deny—The deny keyword denies or exempts a packet if the
conditions are matched. The permit keyword permits a packet if the
conditions are matched.
•
Protocol—The protocol_argument specifies the IP protocol:
–
name or number—Specifies the protocol name or number. Specify
ip to apply to all protocols.
–
object-group protocol_grp_id—Specifies a protocol object group
created using the object-group protocol command.
–
object service_obj_id—Specifies a service object created using
the object service command. A TCP, UDP, or ICMP service object
can include a protocol and a source and/or destination port or
ICMP type and code.
–
object-group service_grp_id—Specifies a service object group
created using the object-group service command.
•
Source Address, Destination Address—The source_address_argument
specifies the IP address or FQDN from which the packet is being sent,
and the dest_address_argument specifies the IP address or FQDN to
which the packet is being sent:
–
host ip_address—Specifies an IPv4 host address.
–
dest_ip_address mask—Specifies an IPv4 network address and
subnet mask.
–
ipv6-address/prefix-length—Specifies an IPv6 host or network
address and prefix.
–
any, any4, and any6—any specifies both IPv4 and IPv6 traffic;
any4 specifies only IPv4 traffic; and any6 specifies any6 traffic.
–
object nw_obj_id—Specifies a network object created using the
object network command.
–
object-group nw_grp_id—Specifies a network object group
created using the object-group network command.
•
Logging—log arguments set logging options when an ACE matches a
packet for network access (an ACL applied with the access-group
command).
•
Activation—Inactivates or enables a time range that the ACE is active;
see the time-range command for information about defining a time
range.
Cisco ASA Series CLI Configuration Guide
Configuring Extended ACLs
1-5
Hide quick links:
Advertisement
Chapters
Table of Contents
Troubleshooting
