3-5
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 3 Access Control Lists
Guidelines for ACLs
restrictions during working hours, and relax them after work hours or at lunch. Conversely, you could
essentially shut your network down during non-work hours. For information on creating time range
objects, see Configure Time Ranges, page 2-9.
Note Users could experience a delay of approximately 80 to 100 seconds after the specified end time for the
ACL to become inactive. For example, if the specified end time is 3:50, because the end time is inclusive,
the command is picked up anywhere between 3:51:00 and 3:51:59. After the command is picked up, the
ASA finishes any currently running task and then services the command to deactivate the ACL.
Guidelines for ACLs
Firewall Mode
• Extended and standard ACLs are supported in routed and transparent firewall modes.
• Webtype ACLs are supported in routed mode only.
• EtherType ACLs are supported in transparent mode only.
Failover and Clustering
Configuration sessions are not synchronized across failover or clustered units. When you commit the
changes in a session, they are made in all failover and cluster units as normal.
IPv6
• Extended and webtype ACLs allow a mix of IPv4 and IPv6 addresses.
• Standard ACLs do not allow IPv6 addresses.
• EtherType ACLs do not contain IP addresses.
Additional Guidelines
• When you specify a network mask, the method is different from the Cisco IOS software access-list
command. The ASA uses a network mask (for example, 255.255.255.0 for a Class C mask). The
Cisco IOS mask uses wildcard bits (for example, 0.0.0.255).
• Normally, you cannot reference an object or object group that does not exist in an ACL or object
group, or delete one that is currently referenced. You also cannot reference an ACL that does not
exist in an access-group command (to apply access rules). However, you can change this default
behavior so that you can “forward reference” objects or ACLs before you create them. Until you
create the objects or ACLs, any rules or access groups that reference them are ignored. To enable
forward referencing, use the forward-reference enable command.
• (Extended ACL only) Features That Do Not Support Identity Firewall, FQDN, and Cisco TrustSec
ACLs—The following features use ACLs, but cannot accept an ACL with identity firewall
(specifying user or group names), FQDN (fully-qualified domain names), or Cisco TrustSec values:
–
route-map command
–
VPN crypto map command
–
VPN group-policy command, except for vpn-filter
–
WCCP
–
DAP
To Next Page
Loading...
Need help?
General