Cisco ASA 5506-X Configuration Manual page 43
Cli
Hide thumbs
Also See for ASA 5506-X:
- Installation manual (46 pages) ,
- Hardware installation manual (26 pages) ,
- Quick start manual (14 pages)
Advertisement
Chapter 3
Access Rules
Guidelines for Access Control
IPv6 Guidelines
Supports IPv6. The source and destination addresses can include any mix of IPv4 and IPv6 addresses.
Per-User ACL Guidelines
•
•
Additional Guidelines and Limitations
•
•
•
•
Configure Access Control
The following topics explain how to configure access control.
•
•
Configure an Access Group
Before you can create an access group, create the ACL. See the general operations configuration guide
for more information.
To bind an ACL to an interface or to apply it globally, use the following command:
access-group access_list {
{in | out} interface interface_name [per-user-override | control-plane] |
global}
The per-user ACL uses the value in the timeout uauth command, but it can be overridden by the
AAA per-user session timeout value.
If traffic is denied because of a per-user ACL, syslog message 109025 is logged. If traffic is
permitted, no syslog message is generated. The log option in the per-user ACL has no effect.
You can reduce the memory required to search access rules by enabling object group search, but this
is at the expense rule of lookup performance. When enabled, object group search does not expand
network objects, but instead searches access rules for matches based on those group definitions. You
can set this option using the object-group-search access-control command.
You can improve system performance and reliability by using the transactional commit model for
access groups. See the basic settings chapter in the general operations configuration guide for more
information. Use the asp rule-engine transactional-commit access-group command.
In ASDM, rule descriptions are based on the access list remarks that come before the rule in the
ACL; for new rules you create in ASDM, any descriptions are also configured as remarks before the
related rule. However, the packet tracer in ASDM matches the remark that is configured after the
matching rule in the CLI.
Normally, you cannot reference an object or object group that does not exist in an ACL or object
group, or delete one that is currently referenced. You also cannot reference an ACL that does not
exist in an access-group command (to apply access rules). However, you can change this default
behavior so that you can "forward reference" objects or ACLs before you create them. Until you
create the objects or ACLs, any rules or access groups that reference them are ignored. To enable
forward referencing, use the forward-reference enable command.
Configure an Access Group, page 3-7
Configure ICMP Access Rules, page 3-8
Guidelines for Access Control
Cisco ASA Series Firewall CLI Configuration Guide
3-7
- Quick Links:
- Table of Contents
Hide quick links:
Advertisement
