Cisco ASA 5506-X Configuration Manual page 44
Cli
Hide thumbs
Also See for ASA 5506-X:
- Installation manual (46 pages) ,
- Hardware installation manual (26 pages) ,
- Quick start manual (14 pages)
Advertisement
Configure Access Control
Example:
hostname(config)# access-group outside_access in interface outside
For an interface-specific access group:
•
•
•
•
•
For a global access group, specify the global keyword to apply the extended ACL to the inbound
direction of all interfaces.
Examples
The following example shows how to use the access-group command:
hostname(config)# access-list outside_access permit tcp any host 209.165.201.3 eq 80
hostname(config)# access-group outside_access interface outside
The access-list command lets any host access the host address using port 80. The access-group
command specifies that the access-list command applies to traffic entering the outside interface.
Configure ICMP Access Rules
By default, you can send ICMP packets to any ASA interface using either IPv4 or IPv6, with these
exceptions:
•
•
To protect the device from attacks, you can use ICMP rules to limit ICMP access to ASA interfaces to
particular hosts, networks, or ICMP types. ICMP rules function like access rules, where the rules are
ordered, and the first rule that matches a packet defines the action.
Cisco ASA Series Firewall CLI Configuration Guide
3-8
Specify the extended or EtherType ACL name. You can configure one access-group command per
ACL type per interface per direction, and one control plane ACL. The control plane ACL must be
an extended ACL.
The in keyword applies the ACL to inbound traffic. The out keyword applies the ACL to the
outbound traffic.
Specify the interface name.
The per-user-override keyword (for inbound ACLs only) allows dynamic user ACLs that are
downloaded for user authorization to override the ACL assigned to the interface. For example, if the
interface ACL denies all traffic from 10.0.0.0, but the dynamic ACL permits all traffic from 10.0.0.0,
then the dynamic ACL overrides the interface ACL for that user.
By default, VPN remote access traffic is not matched against interface ACLs. However, if you use
the no sysopt connection permit-vpn command to turn off this bypass, the behavior depends on
whether there is a vpn-filter applied in the group policy and whether you set the per-user-override
option:
–
No per-user-override, no vpn-filter—Traffic is matched against the interface ACL.
–
No per-user-override, vpn-filter—Traffic is matched first against the interface ACL, then
against the VPN filter.
–
per-user-override, vpn-filter—Traffic is matched against the VPN filter only.
The control-plane keyword specifies if the rule is for to-the-box traffic.
The ASA does not respond to ICMP echo requests directed to a broadcast address.
The ASA only responds to ICMP traffic sent to the interface that traffic comes in on; you cannot
send ICMP traffic through an interface to a far interface.
Chapter 3
Access Rules
- Quick Links:
- Table of Contents
Hide quick links:
Advertisement
