1-8
Cisco ASA Series CLI Configuration Guide
Chapter 1 Adding an Extended Access Control List
Configuring Extended ACLs
Detailed Steps
Adding an ACE for Security Group-Based Policy (TrustSec)
If you configure the Cisco TrustSec feature, you can control traffic based on security groups.
Prerequisites
See Chapter 1, “Configuring the ASA to Integrate with Cisco TrustSec,” to enable TrustSec.
Command Purpose
access-list access_list_name [line
line_number] extended {deny | permit}
protocol_argument [user_argument]
source_address_argument [port_argument]
dest_address_argument [port_argument]
[log [[level] [interval secs] | disable |
default]] [inactive | time-range
time_range_name]
Example:
hostname(config)# access-list v1 extended
permit ip user LOCAL\idfw any 10.0.0.0
255.255.255.0
Adds an ACE for IP address or FQDN policy, as well as optional usernames
and/or groups. For common keywords and arguments, see the “Adding an
ACE for IP Address or Fully Qualified Domain Name-Based Policy”
section on page 1-4. Keywords and arguments specific to this type of ACE
include the following:
user_argument is for use with the identity firewall feature, and specifies the
user or group for which to match traffic in addition to the source address.
Available arguments include the following:
• object-group-user user_obj_grp_id—Specifies a user object group
created using the object-group user command.
• user {[domain_nickname\]name | any | none}—Specifies a username.
Specify any to match all users with user credentials, or none to match
users without user credentials. These options are especially useful for
combining access-group and aaa authentication match policies.
• user-group [domain_nickname\\]user_group_name—Specifies a user
group name.
Note Although not shown in the syntax at left, you can also use TrustSec
security group arguments.
To Next Page
Loading...
Need help?
General