3-12
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 3 Access Control Lists
Configure ACLs
•
security-group
{
name
security_grp_id
|
tag
security_grp_tag
}—Specifies a security group name
or tag.
For an explanation of the other keywords, see
Add an Extended ACE for IP Address or Fully-Qualified
Domain Name-Based Matching, page 3-7
.
Tip
You can include both user and Cisco Trustsec security groups in a given ACE. See
for User-Based Matching (Identity Firewall), page 3-10
.
Examples for Extended ACLs
The following ACL allows all hosts (on the interface to which you apply the ACL) to go through the
ASA:
hostname(config)# access-list ACL_IN extended permit ip any any
The following ACL prevents hosts on 192.168.1.0/24 from accessing the 209.165.201.0/27 network for
TCP-based traffic. All other addresses are permitted.
hostname(config)# access-list ACL_IN extended deny tcp 192.168.1.0 255.255.255.0
209.165.201.0 255.255.255.224
hostname(config)# access-list ACL_IN extended permit ip any any
If you want to restrict access to selected hosts only, then enter a limited permit ACE. By default, all other
traffic is denied unless explicitly permitted.
hostname(config)# access-list ACL_IN extended permit ip 192.168.1.0 255.255.255.0
209.165.201.0 255.255.255.224
The following ACL restricts all hosts (on the interface to which you apply the ACL) from accessing a
website at address 209.165.201.29. All other traffic is allowed.
hostname(config)# access-list ACL_IN extended deny tcp any host 209.165.201.29 eq www
hostname(config)# access-list ACL_IN extended permit ip any any
The following ACL that uses object groups restricts several hosts on the inside network from accessing
several web servers. All other traffic is allowed.
hostname(config-network)# access-list ACL_IN extended deny tcp object-group denied
object-group web eq www
hostname(config)# access-list ACL_IN extended permit ip any any
hostname(config)# access-group ACL_IN in interface inside
The following example temporarily disables an ACL that permits traffic from one group of network
objects (A) to another group of network objects (B):
hostname(config)# access-list 104 permit ip host object-group A object-group B inactive
To implement a time-based ACE, use the
time-range
command to define specific times of the day and
week. Then use the
access-list extended
command to bind the time range to an ACE. The following
example binds an ACE in the “Sales” ACL to a time range named “New_York_Minute.”
hostname(config)# access-list Sales line 1 extended deny tcp host 209.165.200.225 host
209.165.201.1 time-range New_York_Minute
The following example shows a mixed IPv4/IPv6 ACL:
hostname(config)# access-list demoacl extended permit ip 2001:DB8:1::/64 10.2.2.0
255.255.255.0
hostname(config)# access-list demoacl extended permit ip 2001:DB8:1::/64 2001:DB8:2::/64
hostname(config)# access-list demoacl extended permit ip host 10.3.3.3 host 10.4.4.4
Summary of Contents for ASA 5508-X
Page 11: ...P A R T 1 Access Control ...
Page 12: ......
Page 157: ...P A R T 2 Network Address Translation ...
Page 158: ......
Page 233: ...P A R T 3 Service Policies and Application Inspection ...
Page 234: ......
Page 379: ...P A R T 4 Connection Management and Threat Detection ...
Page 380: ......