3-6
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 3 Access Control Lists
Configure ACLs
Configure ACLs
The following sections explain how to configure the various types of ACL, Read the section on ACL
basics to get the big picture, then the sections on specific types of ACL for the details.
•
Basic ACL Configuration and Management Options, page 3-6
•
Configure Extended ACLs, page 3-7
•
Configure Standard ACLs, page 3-13
•
Configure Webtype ACLs, page 3-14
•
Configure EtherType ACLs, page 3-17
Basic ACL Configuration and Management Options
An ACL is made up of one or more access control entries (ACEs) with the same ACL ID or name. To
create a new ACL, you simply create an ACE with a new ACL name, and it becomes the first rule in the
new ACL.
Working with an ACL, you can do the following things:
•
Examine the ACL contents and determine line numbers and hit counts
—Use the
show
access-list
name
command to view the contents of the ACL. Each row is an ACE, and includes the
line number, which you will need to know if you want to insert new entries into an extended ACL.
The information also includes a hit count for each ACE, which is how many times the rule was
matched by traffic. For example:
hostname#
show access-list outside_access_in
access-list outside_access_in; 3 elements; name hash: 0x6892a938
access-list outside_access_in line 1 extended permit ip 10.2.2.0 255.255.255.0 any
(hitcnt=0) 0xcc48b55c
access-list outside_access_in line 2 extended permit ip host
2001:DB8::0DB8:800:200C:417A any (hitcnt=0) 0x79797f94
access-list outside_access_in line 3 extended permit ip user-group LOCAL\\usergroup
any any (hitcnt=0) 0xb0f5b1e1
•
Add an ACE
—The command for adding an ACE is
access-list
name
[
line
line-num
]
type
parameters
. The line number argument works for extended ACLs only. If you include the line
number, the ACE is inserted at that location in the ACL, and the ACE that was at that location is
moved down, along with the remainder of the ACEs (that is, inserting an ACE at a line number does
not replace the old ACE at that line). If you do not include a line number, the ACE is added to the
end of the ACL. The parameters available differ based on the ACL type; see the specific topics on
each ACL type for details.
•
Add comments to an ACL (all types except webtype)
—Use the
access-list
name
[
line
line-num
]
remark
text
command to add remarks into an ACL to help explain the purpose of an ACE. Best
practice is to insert the remark before the ACE; if you view the configuration in ASDM, remarks
will be associated with the ACE that follows the remarks. You can enter multiple remarks before an
ACE to include an expanded comment. Each remark is limited to 100 characters. You can include
leading spaces to help set off the remarks. If you do not include a line number, the remark is added
to the end of the ACL. For example, you could add remarks before adding each ACE:
hostname(config)#
access-list OUT remark - this is the inside admin address
hostname(config)#
access-list OUT extended permit ip host 209.168.200.3 any
hostname(config)#
access-list OUT remark - this is the hr admin address
hostname(config)#
access-list OUT extended permit ip host 209.168.200.4 any
Summary of Contents for ASA 5508-X
Page 11: ...P A R T 1 Access Control ...
Page 12: ......
Page 157: ...P A R T 2 Network Address Translation ...
Page 158: ......
Page 233: ...P A R T 3 Service Policies and Application Inspection ...
Page 234: ......
Page 379: ...P A R T 4 Connection Management and Threat Detection ...
Page 380: ......