3-11
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 3 Access Control Lists
Configure ACLs
[log [[level] [interval secs] | disable | default]]
[time-range time_range_name]
[inactive]
Example:
hostname(config)# access-list v1 extended permit ip user LOCAL\idfw
any 10.0.0.0 255.255.255.0
The user_argument option specifies the user or group for which to match traffic in addition to the source
address. Available arguments include the following:
• object-group-user user_obj_grp_id—Specifies a user object group created using the object-group
user command.
• user {[domain_nickname\]name | any | none}—Specifies a username. Specify any to match all
users with user credentials, or none to match addresses that are not mapped to usernames. These
options are especially useful for combining access-group and aaa authentication match policies.
• user-group [domain_nickname\\]user_group_name—Specifies a user group name. Note the double
\\ separating the domain and group name.
For an explanation of the other keywords, see Add an Extended ACE for IP Address or Fully-Qualified
Domain Name-Based Matching, page 3-7.
Tip You can include both user and Cisco Trustsec security groups in a given ACE. See Add an Extended ACE
for Security Group-Based Matching (Cisco TrustSec), page 3-11.
Add an Extended ACE for Security Group-Based Matching (Cisco TrustSec)
The security group (Cisco TrustSec) extended ACE is just the basic address-matching ACE where you
include security groups or tags to the source or destination matching criteria. By creating rules based on
security groups, you can avoid tying rules to static host or network addresses. Because you must still
supply source and destination addresses, broaden the addresses to include the likely addresses that will
be assigned to users (normally through DHCP).
Tip Before adding this type of ACE, configure Cisco TrustSec as described in Chapter 6, “ASA and Cisco
TrustSec.”
To add an ACE for security group matching, use the following command:
access-list access_list_name [line line_number] extended {deny | permit} protocol_argument
[security_group_argument] source_address_argument [port_argument]
[security_group_argument] dest_address_argument [port_argument] [log [[level]
[interval secs] | disable | default]] [inactive | time-range time_range_name]
Example:
hostname(config)# access-list INSIDE_IN extended permit ip
security-group name my-group any any
The security_group_argument option specifies the security group for which to match traffic in addition
to the source or destination address. Available arguments include the following:
• object-group-security security_obj_grp_id—Specifies a security object group created using the
object-group security command.
To Next Page
Loading...
Need help?
General