1-4
Cisco ASA Series CLI Configuration Guide
Chapter 1 Adding an Extended Access Control List
Default Settings
Default Settings
Table 1-1 lists the default settings for extended ACL parameters.
Configuring Extended ACLs
This section shows how to add ACEs of various types to an ACL and includes the following topics:
• Adding an ACE for IP Address or Fully Qualified Domain Name-Based Policy, page 1-4
• Adding an ACE for TCP or UDP-Based Policy, with Ports, page 1-6
• Adding an ACE for ICMP-Based Policy, with ICMP Type, page 1-7
• Adding an ACE for User-Based Policy (Identity Firewall), page 1-7
• Adding an ACE for Security Group-Based Policy (TrustSec), page 1-8
• Adding Remarks to ACLs, page 1-9
Adding an ACE for IP Address or Fully Qualified Domain Name-Based
Policy
This section lets you control traffic based on IP addresses or fully qualified domain names (FQDNs). An
ACL is made up of one or more access control entries (ACEs) with the same ACL ID. To create an ACL
you start by creating an ACE and applying a list name. An ACL with one entry is still considered a list,
although you can add multiple entries to the list.
Prerequisites
(Optional) Create network objects or object groups according to the “Configuring Network Objects and
Groups” section on page 1-2. Objects can contain an IP address (host, subnet, or range) or an FQDN.
Object groups contain multiple objects or inline entries.
Guidelines
To delete an ACE, enter the no access-list command with the entire command syntax string as it appears
in the configuration. To remove the entire ACL, use the clear configure access-list command.
Table 1-1 Default Extended ACL Parameters
Parameters Default
ACE logging ACE logging generates system log message
106023 for denied packets. A deny ACE must be
present to log denied packets.
log When the log keyword is specified, the default
level for system log message 106100 is 6
(informational), and the default interval is 300
seconds.
To Next Page
Loading...
Need help?
General
