CHAPTER
3-1
Cisco ASA Series Firewall CLI Configuration Guide
3
Access Control Lists
Access control lists (ACLs) are used by many different features. When applied to interfaces or globally
as access rules, they permit or deny traffic that flows through the appliance. For other features, the ACL
selects the traffic to which the feature will apply, performing a matching service rather than a control
service.
The following sections explain the basics of ACLs and how to configure and monitor them. Access rules,
ACLs applied globally or to interfaces, are explained in more detail in the firewall configuration guide.
• About ACLs, page 3-1
• Guidelines for ACLs, page 3-5
• Configure ACLs, page 3-6
• Edit ACLs in an Isolated Configuration Session, page 3-18
• Monitoring ACLs, page 3-20
• History for ACLs, page 3-21
About ACLs
Access control lists (ACLs) identify traffic flows by one or more characteristics, including source and
destination IP address, IP protocol, ports, EtherType, and other parameters, depending on the type of
ACL. ACLs are used in a variety of features. ACLs are made up of one or more access control entries
(ACEs).
ACL Types
The ASA uses the following types of ACLs:
• Extended ACLs—Extended ACLs are the main type that you will use. These ACLs are used for
access rules to permit and deny traffic through the device, and for traffic matching by many features,
including service policies, AAA rules, WCCP, Botnet Traffic Filter, and VPN group and DAP
policies. See Configure Extended ACLs, page 3-7.
• EtherType ACLs—EtherType ACLs apply to non-IP layer-2 traffic in transparent firewall mode. You
can use these rules to permit or drop traffic based on the EtherType value in the layer-2 packet. With
EtherType ACLs, you can control the flow of non-IP traffic across the device. See Configure
EtherType ACLs, page 3-17.
To Next Page
Loading...
Need help?
General