3-10
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 3 Access Control Lists
Configure ACLs
•
object-group
service_grp_id
—Specifies a service object group created using the
object-group
service
command.
For an explanation of the other keywords, see
Add an Extended ACE for IP Address or Fully-Qualified
Domain Name-Based Matching, page 3-7
.
Add an Extended ACE for ICMP-Based Matching
The ICMP extended ACE is just the basic address-matching ACE where the protocol is
icmp
or
icmp6
.
Because these protocols have type and code values, you can add type and code specifications to the ACE.
For example, you can target ICMP Echo Request traffic (pings).
To add an ACE for IP address or FQDN matching, where the protocol is ICMP or ICMP6, use the
following command:
access-list
access_list_name
[
line
line_number
]
extended
{
deny
|
permit
}
{
icmp
|
icmp6
}
source_address_argument
dest_address_argument
[
icmp_argument
]
[
log
[[
level
] [
interval
secs
] |
disable
|
default
]]
[
time-range
time_range_name
]
[
inactive
]
Example:
hostname(config)#
access-list abc extended permit icmp any any object-group obj_icmp_1
hostname(config)#
access-list abc extended permit icmp any any echo
The
icmp_argument
option specifies the ICMP type and code.
•
icmp_type
[
icmp_code
]—Specifies the ICMP type by name or number, and the optional ICMP code
for that type. If you do not specify the code, then all codes are used.
•
object-group
icmp_grp_id
—Specifies an object group for ICMP/ICMP6 created using the
object-group service
or (deprecated)
object-group icmp
command.
For an explanation of the other keywords, see
Add an Extended ACE for IP Address or Fully-Qualified
Domain Name-Based Matching, page 3-7
.
Add an Extended ACE for User-Based Matching (Identity Firewall)
The user-based extended ACE is just the basic address-matching ACE where you include username or
user group to the source matching criteria. By creating rules based on user identity, you can avoid tying
rules to static host or network addresses. For example, if you define a rule for user1, and the identity
firewall feature maps that user to a host assigned 10.100.10.3 one day, but 192.168.1.5 the next day, the
user-based rule still applies.
Because you must still supply source and destination addresses, broaden the source address to include
the likely addresses that will be assigned to the user (normally through DHCP). For example, user
“LOCAL\user1 any” will match the LOCAL\user1 user no matter what address is assigned, whereas
“LOCAL\user1 10.100.1.0 255.255.255.0” matches the user only if the address is on the 10.100.1.0/24
network.
By using group names, you can define rules based on entire classes of users, such as students, teachers,
managers, engineers, and so forth.
To add an ACE for user or group matching, use the following command:
access-list
access_list_name
[
line
line_number
]
extended
{
deny
|
permit
}
protocol_argument
[
user_argument
]
source_address_argument
[
port_argument
]
dest_address_argument
[
port_argument
]
Summary of Contents for ASA 5508-X
Page 11: ...P A R T 1 Access Control ...
Page 12: ......
Page 157: ...P A R T 2 Network Address Translation ...
Page 158: ......
Page 233: ...P A R T 3 Service Policies and Application Inspection ...
Page 234: ......
Page 379: ...P A R T 4 Connection Management and Threat Detection ...
Page 380: ......