15-4
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter15 Adding an Extended Access List
Configuring Extended Access Lists
Detailed Steps
Command Purpose
(For IP traffic, no ports)
access-list access_list_name [line
line_number] extended {deny | permit}
{protocol | object-group prot_grp_id}
{source_address mask | object nw_obj_id |
object-group nw_grp_id}
{dest_address mask | object nw_obj_id |
object-group nw_grp_id}
[log [[level] [interval secs] | disable |
default]]
[inactive | time-range time_range_name]
(For TCP or UDP traffic, with ports)
access-list access_list_name [line
line_number] extended {deny | permit}
{tcp | udp | object-group prot_grp_id}
{source_address mask | object nw_obj_id |
object-group nw_grp_id}
[operator port | object-group svc_grp_id]
{dest_address mask | object nw_obj_id |
object-group nw_grp_id}
[operator port | object-group svc_grp_id]
[log [[level] [interval secs] | disable |
default]]
[inactive | time-range time_range_name]
(For ICMP traffic)
access-list access_list_name [line
line_number] extended {deny | permit} icmp
{source_address mask | object nw_obj_id |
object-group nw_grp_id}
{dest_address mask | object nw_obj_id |
object-group nw_grp_id}
[icmp_type | object-group icmp_grp_id]
[log [[level] [interval secs] | disable |
default]] [inactive | time-range
time_range_name]
Example:
hostname(config)# access-list ACL_IN
extended permit ip any any
Adds an extended ACE.
The line line_number option specifies the line number at which insert the
ACE. If you do not specify a line number, the ACE is added to the end of
the access list. The line number is not saved in the configuration; it only
specifies where to insert the ACE.
The deny keyword denies a packet if the conditions are matched. The
permit keyword permits a packet if the conditions are matched.
Instead of entering the protocol, IP address, or port directly in the
command, you can use network objects, or protocol, network, port, or
ICMP object groups using the object and object-group keyword. See
“Configuring Objects and Groups” section on page13-1 for more
information about creating objects.
The protocol argument specifies the IP protocol name or number. For
example UDP is 17, TCP is 6, and EGP is 47.
The source_address specifies the IP address of the network or host from
which the packet is being sent. Enter the host keyword before the IP
address to specify a single address. In this case, do not enter a mask. Enter
the any keyword instead of the address and mask to specify any address.
For the TCP and UDP protocols only, the operator port option matches the
port numbers used by the source or destination. The permitted operators are
as follows:
lt—less than.
gt—greater than.
dq—equal to.
neq—not equal to.
range—an inclusive range of values. When you use this operator,
specify two port numbers, for example: range 100 200.
The dest_address argument specifies the IP address of the network or host
to which the packet is being sent. Enter the host keyword before the IP
address to specify a single address. In this case, do not enter a mask. Enter
the any keyword instead of the address and mask to specify any address.
The icmp_type argument specifies the ICMP type if the protocol is ICMP.
The time-range keyword specifies when an access list is activated. See the
“Scheduling Extended Access List Activation” section on page13-16 for
more information.
The inactive keyword disables an ACE. To reenable it, enter the entire
ACE without the inactive keyword. This feature enables you to keep a
record of an inactive ACE in your configuration to make reenabling easier.
For the log keyword, see Chapter 20, “Configuring Logging for Access
Lists.”