Cisco ASA Series Cli Configuration Manual page 565
Software version 9.0 for the services module
Hide thumbs
Also See for ASA Series:
- Configuration manual (429 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
Chapter 1
Adding an Extended Access Control List
Adding an ACE for ICMP-Based Policy, with ICMP Type
This section lets you control traffic based on IP addresses or fully qualified domain names (FQDNs)
along with the ICMP type. An ACL is made up of one or more access control entries (ACEs) with the
same ACL ID. To create an ACL you start by creating an ACE and applying a list name. An ACL with
one entry is still considered a list, although you can add multiple entries to the list.
Prerequisites
•
•
Guidelines
To delete an ACE, enter the no access-list command with the entire command syntax string as it appears
in the configuration. To remove the entire ACL, use the clear configure access-list command.
Detailed Steps
Command
access-list access_list_name [line
line_number] extended {deny | permit} icmp
source_address_argument
dest_address_argument [icmp_argument]
[log [[level] [interval secs] | disable |
default]] [inactive | time-range
time_range_name]
Example:
hostname(config)# access-list abc extended
permit icmp any any object-group
obj_icmp_1
Adding an ACE for User-Based Policy (Identity Firewall)
If you configure the identity firewall feature, you can control traffic based on user identity.
Prerequisites
See
(Optional) Create network objects or object groups according to the
and Groups" section on page
FQDN. Object groups contain multiple objects or inline entries.
(Optional) Create ICMP groups according to the
page
1-10.
Purpose
Adds an ACE for IP address or FQDN policy, as well as optional TCP or
UDP ports. For common keywords and arguments, see the
for IP Address or Fully Qualified Domain Name-Based Policy" section on
page
following:
icmp_argument specifies the ICMP type and code.
•
•
Chapter 1, "Configuring the Identity Firewall,"
1-2. Objects can contain an IP address (host, subnet, or range) or an
"Configuring an ICMP Group" section on
1-4. Keywords and arguments specific to this type of ACE include the
icmp_type [icmp_code]—Specifies the ICMP type by name or number,
and the optional ICMP code for that type. If you do not specify the
code, then all codes are used.
object-group icmp_grp_id—Specifies an ICMP object group created
using the object-group icmp command.
to enable IDFW.
Cisco ASA Series CLI Configuration Guide
Configuring Extended ACLs
"Configuring Network Objects
"Adding an ACE
1-7
Hide quick links:
Advertisement
Chapters
Table of Contents
Troubleshooting
