1-3
Cisco ASA Series CLI Configuration Guide
Chapter 1 Adding an Extended Access Control List
Licensing Requirements for Extended ACLs
Licensing Requirements for Extended ACLs
Guidelines and Limitations
Context Mode Guidelines
Supported in single and multiple context mode.
Firewall Mode Guidelines
Supported in routed and transparent firewall modes.
IPv6 Guidelines
Supports IPv6.
Features That Do Not Support IDFW, FQDN, and TrustSec ACLs
The following features use ACLs, but cannot accept an ACL with IDFW, FQDN, or TrustSec values:
• route-map command
• VPN crypto map command
• VPN group-policy command, except for vpn-filter
• WCCP
• DAP
Additional Guidelines and Limitations
• Tip: Enter the ACL name in uppercase letters so that the name is easy to see in the configuration.
You might want to name the ACL for the interface (for example, INSIDE), or you can name it for
the purpose for which it is created (for example, NO_NAT or VPN).
• Typically, you identify the ip keyword for the protocol, but other protocols are accepted. For a list
of protocol names, see the “Protocols and Applications” section on page 1-11.
• You can specify the source and destination ports only for the TCP or UDP protocols. For a list of
permitted keywords and well-known port assignments, see the “TCP and UDP Ports” section on
page 1-11. DNS, Discard, Echo, Ident, NTP, RPC, SUNRPC, and Talk each require one definition
for TCP and one for UDP. TACACS+ requires one definition for port 49 on TCP.
• When you specify a network mask, the method is different from the Cisco IOS software access-list
command. The ASA uses a network mask (for example, 255.255.255.0 for a Class C mask). The
Cisco IOS mask uses wildcard bits (for example, 0.0.0.255).
Model License Requirement
All models Base License.
To Next Page
Loading...
Need help?
General