4-8
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 4 Access Rules
Configure Access Control
Example:
hostname(config)#
access-group outside_access in interface outside
For an interface-specific access group:
•
Specify the extended or EtherType ACL name. You can configure one
access-group
command per
ACL type per interface per direction, and one control plane ACL. The control plane ACL must be
an extended ACL.
•
The
in
keyword applies the ACL to inbound traffic. The
out
keyword applies the ACL to the
outbound traffic.
•
Specify the
interface
name.
•
The
per-user-override
keyword (for inbound ACLs only) allows dynamic user ACLs that are
downloaded for user authorization to override the ACL assigned to the interface. For example, if the
interface ACL denies all traffic from 10.0.0.0, but the dynamic ACL permits all traffic from 10.0.0.0,
then the dynamic ACL overrides the interface ACL for that user.
By default, VPN remote access traffic is not matched against interface ACLs. However, if you use
the
no sysopt connection permit-vpn
command to turn off this bypass, the behavior depends on
whether there is a
vpn-filter
applied in the group policy and whether you set the
per-user-override
option:
–
No
per-user-override
, no
vpn-filter
—Traffic is matched against the interface ACL.
–
No
per-user-override
,
vpn-filter
—Traffic is matched first against the interface ACL, then
against the VPN filter.
–
per-user-override
,
vpn-filter
—Traffic is matched against the VPN filter only.
•
The
control-plane
keyword specifies if the rule is for to-the-box traffic.
For a global access group, specify the
global
keyword to apply the extended ACL to the inbound
direction of all interfaces.
Examples
The following example shows how to use the
access-group
command:
hostname(config)#
access-list outside_access permit tcp any host 209.165.201.3 eq 80
hostname(config)#
access-group outside_access interface outside
The
access-list
command lets any host access the host address using port 80. The
access-group
command specifies that the
access-list
command applies to traffic entering the outside interface.
Configure ICMP Access Rules
By default, you can send ICMP packets to any ASA interface using either IPv4 or IPv6, with these
exceptions:
•
The ASA does not respond to ICMP echo requests directed to a broadcast address.
•
The ASA only responds to ICMP traffic sent to the interface that traffic comes in on; you cannot
send ICMP traffic through an interface to a far interface.
To protect the device from attacks, you can use ICMP rules to limit ICMP access to ASA interfaces to
particular hosts, networks, or ICMP types. ICMP rules function like access rules, where the rules are
ordered, and the first rule that matches a packet defines the action.
Содержание ASA 5508-X
Страница 11: ...P A R T 1 Access Control ...
Страница 12: ......
Страница 60: ...4 14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 4 Access Rules History for Access Rules ...
Страница 157: ...P A R T 2 Network Address Translation ...
Страница 158: ......
Страница 204: ...9 46 Cisco ASA Series Firewall CLI Configuration Guide Chapter 9 Network Address Translation NAT History for NAT ...
Страница 232: ...10 28 Cisco ASA Series Firewall CLI Configuration Guide Chapter 10 NAT Examples and Reference DNS and NAT ...
Страница 233: ...P A R T 3 Service Policies and Application Inspection ...
Страница 234: ......
Страница 379: ...P A R T 4 Connection Management and Threat Detection ...
Страница 380: ......
Страница 400: ...16 20 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Connection Settings History for Connection Settings ...
Страница 414: ...17 14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 17 Quality of Service History for QoS ...