3-9
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 3 Access Control Lists
Configure ACLs
–
level
—A severity level between 0 and 7. The default is 6 (informational). If you change this
level for an active ACE, the new level applies to new connections; existing connections continue
to be logged at the previous level.
–
interval
secs
—The time interval in seconds between syslog messages, from 1 to 600. The
default is 300. This value is also used as the timeout value for deleting an inactive flow from the
cache used to collect drop statistics.
–
disable
—Disables all ACE logging.
–
default
—Enables logging to message 106023 for denied packets. This setting is the same as not
including the
log
option.
•
Time Range—The
time-range
time_range_name
option specifies a time range object, which
determines the times of day and days of the week in which the ACE is active. If you do not include
a time range, the ACE is always active.
•
Activation—Use the
inactive
option to disable the ACE without deleting it. To reenable it, enter the
entire ACE without the inactive keyword.
Add an Extended ACE for TCP or UDP-Based Matching, with Ports
The TCP/UDP extended ACE is just the basic address-matching ACE where the protocol is
tcp
or
udp
.
Because these protocols use ports, you can add port specifications to the ACE. For example, you can
target HTTP traffic on TCP port 80.
To add an ACE for IP address or FQDN matching, where the protocol is TCP or UDP, use the following
command:
access-list
access_list_name
[
line
line_number
]
extended
{
deny
|
permit
}
{
tcp
|
udp
}
source_address_argument
[
port_argument
]
dest_address_argument
[
port_argument
]
[
log
[[
level
] [
interval
secs
] |
disable
|
default
]]
[
time-range
time_range_name
]
[
inactive
]
Example:
hostname(config)#
access-list ACL_IN extended deny tcp any host 209.165.201.29 eq www
The
port_argument
option specifies the source or destination port. If you do not specify ports, all ports
are matched. Available arguments include:
•
operator port
—The
operator
can be one of the following:
–
lt
—less than
–
gt
—greater than
–
eq
—equal to
–
neq
—not equal to
–
range
—an inclusive range of values. When you use this operator, specify two port numbers, for
example:
range 100 200
The
port
can be the integer or name of a TCP or UDP port. DNS, Discard, Echo, Ident, NTP, RPC,
SUNRPC, and Talk each require one definition for TCP and one for UDP. requires one
definition for port 49 on TCP.
•
object
service_obj_id
—Specifies a service object created using the
object service
command. See
Configure Service Objects and Service Groups, page 2-4
.
Summary of Contents for ASA 5508-X
Page 11: ...P A R T 1 Access Control ...
Page 12: ......
Page 157: ...P A R T 2 Network Address Translation ...
Page 158: ......
Page 233: ...P A R T 3 Service Policies and Application Inspection ...
Page 234: ......
Page 379: ...P A R T 4 Connection Management and Threat Detection ...
Page 380: ......