19-5
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter19 Adding an IPv6 Access List
Configuring IPv6 Access Lists
Adding IPv6 Access Lists
You can add a regular IPv6 access list or add an IPv6 access list with TCP.
To add a regular IPv6 access list, enter the following command:
Command Purpose
ipv6 access-list id [line line-num] {deny
| permit} {protocol | object-group
protocol_obj_grp_id}
{source-ipv6-prefix/prefix-length | any |
host source-ipv6-address | object-group
network_obj_grp_id} [operator {port [port]
| object-group service_obj_grp_id}]
{destination-ipv6-prefix/prefix-length |
any | host destination-ipv6-address |
object-group network_obj_grp_id}
[{operator port [port] | object-group
service_obj_grp_id}] [log [[level]
[interval secs] | disable | default]]
Example:
hostname(config)# ipv6 access-list acl_grp
permit tcp any host
3001:1::203:A0FF:FED6:162D
Configures an IPv6 access list.
The any keyword is an abbreviation for the IPv6 prefix ::/0, indicating any
IPv6 address.
The deny keyword denies access if the conditions are matched.
The destination-ipv6-address argument identifies the IPv6 address of the
host receiving the traffic.
The destination-ipv6-prefix argument identifies the IPv6 network address
where the traffic is destined.
The disable option disables syslog messaging.
The host keyword indicates that the address refers to a specific host.
The id keyword specifies the number of an access list.
The line line-num option specifies the line number for inserting the access
rule into the list. By default, the ACE is added to the end of the access list.
The network_obj_grp_id argument specifies existing network object group
identification.
The object-group option specifies an object group.
The operator option compares the source IP address or destination IP
address ports. For a list of permitted operands, see the “Guidelines and
Limitations” section on page19-2.
The permit keyword permits access if the conditions are matched.
The port option specifies the port that you permit or deny access. You can
specify the port either by a number in the range of 0 to 65535 or by a literal
name if the protocol is tcp or udp. For a list of permitted TCP or UDP
literal names, see the “Guidelines and Limitations” section on page19-2.
The prefix-length argument indicates how many of the high-order,
contiguous bits of the address comprise the IPv6 prefix.
The protocol argument specifies the name or number of an IP protocol.
The protocol_obj_grp_id indicates the existing protocol object group ID.
The service_obj_grp_id option specifies the object group.
The source-ipv6-address specifies the address of the host sending traffic.
The source-ipv6-prefix specifies the IPv6 address of traffic origin.