4-7
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 4 Access Rules
Guidelines for Access Control
Guidelines for Access Control
IPv6 Guidelines
Supports IPv6. The source and destination addresses can include any mix of IPv4 and IPv6 addresses.
Per-User ACL Guidelines
•
The per-user ACL uses the value in the
timeout uauth
command, but it can be overridden by the
AAA per-user session timeout value.
•
If traffic is denied because of a per-user ACL, syslog message 109025 is logged. If traffic is
permitted, no syslog message is generated. The
log
option in the per-user ACL has no effect.
Additional Guidelines and Limitations
•
You can reduce the memory required to search access rules by enabling object group search, but this
is at the expense rule of lookup performance. When enabled, object group search does not expand
network objects, but instead searches access rules for matches based on those group definitions. You
can set this option using the
object-group-search access-control
command.
•
You can improve system performance and reliability by using the transactional commit model for
access groups. See the basic settings chapter in the general operations configuration guide for more
information. Use the
asp rule-engine transactional-commit access-group
command.
•
In ASDM, rule descriptions are based on the access list remarks that come before the rule in the
ACL; for new rules you create in ASDM, any descriptions are also configured as remarks before the
related rule. However, the packet tracer in ASDM matches the remark that is configured after the
matching rule in the CLI.
•
Normally, you cannot reference an object or object group that does not exist in an ACL or object
group, or delete one that is currently referenced. You also cannot reference an ACL that does not
exist in an
access-group
command (to apply access rules). However, you can change this default
behavior so that you can “forward reference” objects or ACLs before you create them. Until you
create the objects or ACLs, any rules or access groups that reference them are ignored. To enable
forward referencing, use the
forward-reference
enable
command.
Configure Access Control
The following topics explain how to configure access control.
•
Configure an Access Group, page 4-7
•
Configure ICMP Access Rules, page 4-8
Configure an Access Group
Before you can create an access group, create the ACL. See the general operations configuration guide
for more information.
To bind an ACL to an interface or to apply it globally, use the following command:
access-group
access_list
{
{
in
|
out
}
interface
interface_name
[
per-user-override
|
control-plane
] |
global
}
Summary of Contents for ASA 5508-X
Page 11: ...P A R T 1 Access Control ...
Page 12: ......
Page 157: ...P A R T 2 Network Address Translation ...
Page 158: ......
Page 233: ...P A R T 3 Service Policies and Application Inspection ...
Page 234: ......
Page 379: ...P A R T 4 Connection Management and Threat Detection ...
Page 380: ......