Cisco ASA Series Cli Configuration Manual page 568
Software version 9.0 for the services module
Hide thumbs
Also See for ASA Series:
- Configuration manual (429 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
Monitoring Extended ACLs
Monitoring Extended ACLs
To monitor extended ACLs, enter one of the following commands:
Command
show access-list
show running-config access-list
Configuration Examples for Extended ACLs
This section includes the following topics:
•
•
Configuration Examples for Extended ACLs (No Objects)
The following ACL allows all hosts (on the interface to which you apply the ACL) to go through the
ASA:
hostname(config)# access-list ACL_IN extended permit ip any any
The following sample ACL prevents hosts on 192.168.1.0/24 from accessing the 209.165.201.0/27
network. All other addresses are permitted.
hostname(config)# access-list ACL_IN extended deny tcp 192.168.1.0 255.255.255.0
209.165.201.0 255.255.255.224
hostname(config)# access-list ACL_IN extended permit ip any any
If you want to restrict access to selected hosts only, then enter a limited permit ACE. By default, all other
traffic is denied unless explicitly permitted.
hostname(config)# access-list ACL_IN extended permit ip 192.168.1.0 255.255.255.0
209.165.201.0 255.255.255.224
The following ACL restricts all hosts (on the interface to which you apply the ACL) from accessing a
website at address 209.165.201.29. All other traffic is allowed.
hostname(config)# access-list ACL_IN extended deny tcp any host 209.165.201.29 eq www
hostname(config)# access-list ACL_IN extended permit ip any any
The following ACL that uses object groups restricts several hosts on the inside network from accessing
several web servers. All other traffic is allowed.
hostname(config-network)# access-list ACL_IN extended deny tcp object-group denied
object-group web eq www
hostname(config)# access-list ACL_IN extended permit ip any any
hostname(config)# access-group ACL_IN in interface inside
The following example temporarily disables an ACL that permits traffic from one group of network
objects (A) to another group of network objects (B):
hostname(config)# access-list 104 permit ip host object-group A object-group B inactive
Cisco ASA Series CLI Configuration Guide
1-10
Configuration Examples for Extended ACLs (No Objects), page 1-10
Configuration Examples for Extended ACLs (Using Objects), page 1-11
Chapter 1
Adding an Extended Access Control List
Purpose
Displays the ACEs by number.
Displays the current running access-list
configuration.
Hide quick links:
Advertisement
Chapters
Table of Contents
Troubleshooting
