3-11
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 3 Access Control Lists
Configure ACLs
[
log
[[
level
] [
interval
secs
] |
disable
|
default
]]
[
time-range
time_range_name
]
[
inactive
]
Example:
hostname(config)#
access-list v1 extended permit ip user LOCAL\idfw
any 10.0.0.0 255.255.255.0
The
user_argument
option specifies the user or group for which to match traffic in addition to the source
address. Available arguments include the following:
•
object-group-user
user_obj_grp_id
—Specifies a user object group created using the
object-group
user
command.
•
user
{[
domain_nickname
\
]
name
|
any
|
none
}—Specifies a username. Specify
any
to match all
users with user credentials, or
none
to match addresses that are not mapped to usernames. These
options are especially useful for combining
access-group
and
aaa authentication match
policies.
•
user-group
[
domain_nickname
\\
]
user_group_name
—Specifies a user group name. Note the double
\\ separating the domain and group name.
For an explanation of the other keywords, see
Add an Extended ACE for IP Address or Fully-Qualified
Domain Name-Based Matching, page 3-7
.
Tip
You can include both user and Cisco Trustsec security groups in a given ACE. See
for Security Group-Based Matching (Cisco TrustSec), page 3-11
Add an Extended ACE for Security Group-Based Matching (Cisco TrustSec)
The security group (Cisco TrustSec) extended ACE is just the basic address-matching ACE where you
include security groups or tags to the source or destination matching criteria. By creating rules based on
security groups, you can avoid tying rules to static host or network addresses. Because you must still
supply source and destination addresses, broaden the addresses to include the likely addresses that will
be assigned to users (normally through DHCP).
Tip
Before adding this type of ACE, configure Cisco TrustSec as described in
To add an ACE for security group matching, use the following command:
access-list
access_list_name
[
line
line_number
]
extended
{
deny
|
permit
}
protocol_argument
[
security_group_argument
]
source_address_argument
[
port_argument
]
[
security_group_argument
]
dest_address_argument
[
port_argument
] [
log
[[
level
]
[
interval
secs
] |
disable
|
default
]] [
inactive
|
time-range
time_range_name
]
Example:
hostname(config)#
access-list INSIDE_IN extended permit ip
security-group name my-group any any
The
security_group_argument
option specifies the security group for which to match traffic in addition
to the source or destination address. Available arguments include the following:
•
object-group-security
security_obj_grp_id
—Specifies a security object group created using the
object-group security
command.
Содержание ASA 5508-X
Страница 11: ...P A R T 1 Access Control ...
Страница 12: ......
Страница 60: ...4 14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 4 Access Rules History for Access Rules ...
Страница 157: ...P A R T 2 Network Address Translation ...
Страница 158: ......
Страница 204: ...9 46 Cisco ASA Series Firewall CLI Configuration Guide Chapter 9 Network Address Translation NAT History for NAT ...
Страница 232: ...10 28 Cisco ASA Series Firewall CLI Configuration Guide Chapter 10 NAT Examples and Reference DNS and NAT ...
Страница 233: ...P A R T 3 Service Policies and Application Inspection ...
Страница 234: ......
Страница 379: ...P A R T 4 Connection Management and Threat Detection ...
Страница 380: ......
Страница 400: ...16 20 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Connection Settings History for Connection Settings ...
Страница 414: ...17 14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 17 Quality of Service History for QoS ...