4-7
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 4 Access Rules
Guidelines for Access Control
Guidelines for Access Control
IPv6 Guidelines
Supports IPv6. The source and destination addresses can include any mix of IPv4 and IPv6 addresses.
Per-User ACL Guidelines
•
The per-user ACL uses the value in the
timeout uauth
command, but it can be overridden by the
AAA per-user session timeout value.
•
If traffic is denied because of a per-user ACL, syslog message 109025 is logged. If traffic is
permitted, no syslog message is generated. The
log
option in the per-user ACL has no effect.
Additional Guidelines and Limitations
•
You can reduce the memory required to search access rules by enabling object group search, but this
is at the expense rule of lookup performance. When enabled, object group search does not expand
network objects, but instead searches access rules for matches based on those group definitions. You
can set this option using the
object-group-search access-control
command.
•
You can improve system performance and reliability by using the transactional commit model for
access groups. See the basic settings chapter in the general operations configuration guide for more
information. Use the
asp rule-engine transactional-commit access-group
command.
•
In ASDM, rule descriptions are based on the access list remarks that come before the rule in the
ACL; for new rules you create in ASDM, any descriptions are also configured as remarks before the
related rule. However, the packet tracer in ASDM matches the remark that is configured after the
matching rule in the CLI.
•
Normally, you cannot reference an object or object group that does not exist in an ACL or object
group, or delete one that is currently referenced. You also cannot reference an ACL that does not
exist in an
access-group
command (to apply access rules). However, you can change this default
behavior so that you can “forward reference” objects or ACLs before you create them. Until you
create the objects or ACLs, any rules or access groups that reference them are ignored. To enable
forward referencing, use the
forward-reference
enable
command.
Configure Access Control
The following topics explain how to configure access control.
•
Configure an Access Group, page 4-7
•
Configure ICMP Access Rules, page 4-8
Configure an Access Group
Before you can create an access group, create the ACL. See the general operations configuration guide
for more information.
To bind an ACL to an interface or to apply it globally, use the following command:
access-group
access_list
{
{
in
|
out
}
interface
interface_name
[
per-user-override
|
control-plane
] |
global
}
Содержание ASA 5508-X
Страница 11: ...P A R T 1 Access Control ...
Страница 12: ......
Страница 60: ...4 14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 4 Access Rules History for Access Rules ...
Страница 157: ...P A R T 2 Network Address Translation ...
Страница 158: ......
Страница 204: ...9 46 Cisco ASA Series Firewall CLI Configuration Guide Chapter 9 Network Address Translation NAT History for NAT ...
Страница 232: ...10 28 Cisco ASA Series Firewall CLI Configuration Guide Chapter 10 NAT Examples and Reference DNS and NAT ...
Страница 233: ...P A R T 3 Service Policies and Application Inspection ...
Страница 234: ......
Страница 379: ...P A R T 4 Connection Management and Threat Detection ...
Страница 380: ......
Страница 400: ...16 20 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Connection Settings History for Connection Settings ...
Страница 414: ...17 14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 17 Quality of Service History for QoS ...