19-6
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter19 Adding an IPv6 Access List
Configuring IPv6 Access Lists
To configure an IPv6 access list with ICMP, enter the following command:
Adding Remarks to Access Lists
You can include remarks about entries in any access list, including extended, EtherType, IPv6, standard,
and Webtype access lists. The remarks make the access list easier to understand.
To add a remark after the last access-list command you entered, enter the following command:
Example
You can add remarks before each ACE, and the remarks appear in the access list in these locations.
Entering a dash (-) at the beginning of a remark helps set it apart from an ACE.
hostname(config)# access-list OUT remark - this is the inside admin address
hostname(config)# access-list OUT extended permit ip host 209.168.200.3 any
hostname(config)# access-list OUT remark - this is the hr admin address
hostname(config)# access-list OUT extended permit ip host 209.168.200.4 any
Command Purpose
ipv6 access-list id [line line-num] {deny
| permit} icmp6
{source-ipv6-prefix/prefix-length | any |
host source-ipv6-address | object-group
network_obj_grp_id}
{destination-ipv6-prefix/prefix-length |
any | host destination-ipv6-address |
object-group network_obj_grp_id}
[icmp_type | object-group
icmp_type_obj_grp_id] [log [[level]
[interval secs] | disable | default]]
Example:
hostname(config)# ipv6 access list acl_grp
permit tcp any host
3001:1::203:AOFF:FED6:162D
Configures an IPv6 access list with ICMP.
The icmp6 keyword specifies that the access rule applies to ICMPv6 traffic
passing through the ASA.
The icmp_type argument specifies the ICMP message type being filtered by
the access rule. The value can be a valid ICMP type number from 0 to 255.
(For a list of the permitted ICMP type literals, see the “Guidelines and
Limitations” section on page19-2.)
The icmp_type_obj_grp_id option specifies the object group ICMP type
ID.
For details about additional ipv6 access-list command parameters, see the
preceding procedure for adding a regular IPv6 access list, or see the
ipv6 access-list command in the Cisco Security Appliance Command
Reference.
Command Purpose
access-list access_list_name remark text
Example:
hostname(config)# access-list OUT remark -
this is the inside admin address
Adds a remark after the last access-list command you entered.
The text can be up to 100 characters in length. You can enter leading spaces
at the beginning of the text. Trailing spaces are ignored.
If you enter the remark before any access-list command, then the remark
is the first line in the access list.
If you delete an access list using the no access-list access_list_name
command, then all the remarks are also removed.