34-8
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter34 Configuring Access Rules
Monitoring Access Rules
Detailed Steps
Examples
The following example shows how to use the access-group command:
hostname(config)# access-list acl_out permit tcp any host 209.165.201.3 eq 80
hostname(config)# access-group acl_out in interface outside
The access-list command lets any host access the global address using port 80. The access-group
command specifies that the access-list command applies to traffic entering the outside interface.
Monitoring Access Rules
To monitor network access, enter the following command:
Command Purpose
access-group access_list
{{in |out}interface interface_name
[per-user-override | control-plane] |
global}
Example:
hostname(config)# access-group acl_out in
interface outside
Binds an access list to an interface or applies it globally.
Specify the extended, EtherType, or IPv6 access list name. You can
configure one access-group command per access list type per interface.
You cannot reference empty access lists or access lists that contain only a
remark.
For an interface-specific rule:
The in keyword applies the access list to inbound traffic. The out
keyword applies the access list to the outbound traffic.
Specify the interface name.
The per-user-override keyword (for inbound access lists only) allows
dynamic user access lists that are downloaded for user authorization to
override the access list assigned to the interface. For example, if the
interface access list denies all traffic from 10.0.0.0, but the dynamic
access list permits all traffic from 10.0.0.0, then the dynamic access
list overrides the interface access list for that user. See the
“Configuring RADIUS Authorization” section on page38-14 for more
information about per-user access lists. See also the “Per-User Access
List Guidelines” section on page34-7.
The control-plane keyword specifies if the rule is for to-the-box
traffic.
For a global rule, specify the global keyword to apply the access list to
the inbound direction of all interfaces.
Command Purpose
show running-config access-group Displays the current access list bound to the
interfaces.