15-2
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter15 Adding an Extended Access List
Default Settings
Firewall Mode Guidelines
Supported only in routed and transparent firewall modes.
IPv6 Guidelines
IPv6 is supported.
Additional Guidelines and Limitations
The following guidelines and limitations apply to creating an extended access list:
Enter the access list name in uppercase letters so that the name is easy to see in the configuration.
You might want to name the access list for the interface (for example, INSIDE), or you can name it
for the purpose for which it is created (for example, NO_NAT or VPN).
Typically, you identify the ip keyword for the protocol, but other protocols are accepted. For a list
of protocol names, see the “Protocols and Applications” section on page B-11.
You can specify the source and destination ports only for the TCP or UDP protocols. For a list of
permitted keywords and well-known port assignments, see the “TCP and UDP Ports” section on
page B-11. DNS, Discard, Echo, Ident, NTP, RPC, SUNRPC, and Talk each require one definition
for TCP and one for UDP. TACACS+ requires one definition for port 49 on TCP.
When you specify a network mask, the method is different from the Cisco IOS software access-list
command. The ASA uses a network mask (for example, 255.255.255.0 for a Class C mask). The
Cisco IOS mask uses wildcard bits (for example, 0.0.0.255).
Default Settings
Table15-1 lists the default settings for extended access list parameters.
Configuring Extended Access Lists
This section shows how to add and delete an access control entry and access list, and it includes the
following topics:
Adding an Extended Access List, page15-3
Adding Remarks to Access Lists, page 15-5
Table15-1 Default Extended Access List Parameters
Parameters Default
ACE logging ACE logging generates system log message
106023 for denied packets. A deny ACE must be
present to log denied packets.
log When the log keyword is specified, the default
level for system log message 106100 is 6
(informational), and the default interval is 300
seconds.