17-2
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter17 Adding a Standard Access List
Default Settings
IPv6 Guidelines, page 17-2
Additional Guidelines and Limitations, page17-2
Context Mode Guidelines
Supported in single context mode only.
Firewall Mode Guidelines
Supported in routed and transparent firewall modes.
IPv6 Guidelines
Supports IPv6.
Additional Guidelines and Limitations
The following guidelines and limitations apply for standard Access Lists:
Standard ACLs identify the destination IP addresses (not source addresses) of OSPF routes and can
be used in a route map for OSPF redistribution. Standard ACLs cannot be applied to interfaces to
control traffic.
To add additional ACEs at the end of the access list, enter another access-list command, specifying
the same access list name.
When used with the access-group command, the deny keyword does not allow a packet to traverse
the ASA. By default, the ASA denies all packets on the originating interface unless you specifically
permit access.
When specifying a source, local, or destination address, use the following guidelines:
Use a 32-bit quantity in four-part, dotted-decimal format.
Use the keyword any as an abbreviation for an address and mask of 0.0.0.0.0.0.0.0.
Use the host ip_address option as an abbreviation for a mask of 255.255.255.255.
You can disable an ACE by specifying the keyword inactive in the access-list command.
Default Settings
Table17-1 lists the default settings for standard Access List parameters.
Table17-1 Default Standard Access List Parameters
Parameters Default
deny The ASA denies all packets on the originating
interface unless you specifically permit access.
Access list logging generates system log message
106023 for denied packets. Deny packets must be
present to log denied packets.