1-7
Cisco ASA Series CLI Configuration Guide
Chapter 1 Adding an Extended Access Control List
Configuring Extended ACLs
Adding an ACE for ICMP-Based Policy, with ICMP Type
This section lets you control traffic based on IP addresses or fully qualified domain names (FQDNs)
along with the ICMP type. An ACL is made up of one or more access control entries (ACEs) with the
same ACL ID. To create an ACL you start by creating an ACE and applying a list name. An ACL with
one entry is still considered a list, although you can add multiple entries to the list.
Prerequisites
• (Optional) Create network objects or object groups according to the “Configuring Network Objects
and Groups” section on page 1-2. Objects can contain an IP address (host, subnet, or range) or an
FQDN. Object groups contain multiple objects or inline entries.
• (Optional) Create ICMP groups according to the “Configuring an ICMP Group” section on
page 1-10.
Guidelines
To delete an ACE, enter the no access-list command with the entire command syntax string as it appears
in the configuration. To remove the entire ACL, use the clear configure access-list command.
Detailed Steps
Adding an ACE for User-Based Policy (Identity Firewall)
If you configure the identity firewall feature, you can control traffic based on user identity.
Prerequisites
See Chapter 1, “Configuring the Identity Firewall,” to enable IDFW.
Command Purpose
access-list access_list_name [line
line_number] extended {deny | permit} icmp
source_address_argument
dest_address_argument [icmp_argument]
[log [[level] [interval secs] | disable |
default]] [inactive | time-range
time_range_name]
Example:
hostname(config)# access-list abc extended
permit icmp any any object-group
obj_icmp_1
Adds an ACE for IP address or FQDN policy, as well as optional TCP or
UDP ports. For common keywords and arguments, see the “Adding an ACE
for IP Address or Fully Qualified Domain Name-Based Policy” section on
page 1-4. Keywords and arguments specific to this type of ACE include the
following:
icmp_argument specifies the ICMP type and code.
• icmp_type [icmp_code]—Specifies the ICMP type by name or number,
and the optional ICMP code for that type. If you do not specify the
code, then all codes are used.
• object-group icmp_grp_id—Specifies an ICMP object group created
using the object-group icmp command.
To Next Page
Loading...
Need help?
General
