3-18
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 3 Access Control Lists
Edit ACLs in an Isolated Configuration Session
The options are:
•
access_list_name
—The name of the new or existing ACL. If the ACL already exists, you are adding
the ACE to the end of the ACL.
•
Permit or Deny—The
deny
keyword denies a packet if the conditions are matched. The
permit
keyword permits a packet if the conditions are matched.
•
Traffic Matching Criteria—You can match traffic using the following options:
–
ipx
—Internet Packet Exchange (IPX).
–
bpdu
—bridge protocol data units, which are allowed by default.
–
mpls-multicast
—
MPLS multicast.
–
mpls-unicast
—MPLS unicast.
–
isis
—Intermediate System to Intermediate System (IS-IS).
–
any
—Matches all traffic.
–
hex_number
—Any EtherType that can be identified by a 16-bit hexadecimal number 0x600 to
0xffff. See RFC 1700, “Assigned Numbers,” at http://www.ietf.org/rfc/rfc1700.txt for a list of
EtherTypes.
Examples for EtherType ACLs
The following examples shows how to configure EtherType ACLs, including how to apply them to an
interface.
The following sample ACL allows common traffic originating on the inside interface:
hostname(config)#
access-list ETHER ethertype permit ipx
hostname(config)#
access-list ETHER ethertype permit mpls-unicast
hostname(config)#
access-group ETHER in interface inside
The following ACL allows some EtherTypes through the ASA, but it denies IPX:
hostname(config)#
access-list ETHER ethertype deny ipx
hostname(config)#
access-list ETHER ethertype permit 1234
hostname(config)#
access-list ETHER ethertype permit mpls-unicast
hostname(config)#
access-group ETHER in interface inside
hostname(config)#
access-group ETHER in interface outside
The following ACL denies traffic with EtherType 0x1256, but it allows all others on both interfaces:
hostname(config)#
access-list nonIP ethertype deny 1256
hostname(config)#
access-list nonIP ethertype permit any
hostname(config)#
access-group ETHER in interface inside
hostname(config)#
access-group ETHER in interface outside
Edit ACLs in an Isolated Configuration Session
When you edit an ACL used for access rules or any other purpose, the change is immediately
implemented and impacts traffic. With access rules, you can enable the transactional commit model to
ensure that new rules become active only after rule compilation is complete, but the compilation happens
after each ACE you edit.
Содержание ASA 5508-X
Страница 11: ...P A R T 1 Access Control ...
Страница 12: ......
Страница 60: ...4 14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 4 Access Rules History for Access Rules ...
Страница 157: ...P A R T 2 Network Address Translation ...
Страница 158: ......
Страница 204: ...9 46 Cisco ASA Series Firewall CLI Configuration Guide Chapter 9 Network Address Translation NAT History for NAT ...
Страница 232: ...10 28 Cisco ASA Series Firewall CLI Configuration Guide Chapter 10 NAT Examples and Reference DNS and NAT ...
Страница 233: ...P A R T 3 Service Policies and Application Inspection ...
Страница 234: ......
Страница 379: ...P A R T 4 Connection Management and Threat Detection ...
Страница 380: ......
Страница 400: ...16 20 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Connection Settings History for Connection Settings ...
Страница 414: ...17 14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 17 Quality of Service History for QoS ...