6-4
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 6 Configuring Access Rules
Information About Access Rules
Figure 6-1 Outbound ACL
See the following commands for this example:
ciscoasa(config)# access-list OUTSIDE extended permit tcp host 10.1.1.14
host 209.165.200.225 eq www
ciscoasa(config)# access-list OUTSIDE extended permit tcp host 10.1.2.67
host 209.165.200.225 eq www
ciscoasa(config)# access-list OUTSIDE extended permit tcp host 10.1.3.34
host 209.165.200.225 eq www
ciscoasa(config)# access-group OUTSIDE out interface outside
Transactional-Commit Model
The ASA rule-engine supports a new feature for rule updation called the Transactional-Commit Model.
When this feature is enabled, a rule update is applied after the rule compilation is completed; without
affecting the rule matching performance. With the legacy model, rule updates take effect immediately
but rule matching slows down during the rule compilation period. This feature is useful to prevent
potential packet drops during large compilation of rules under high traffic conditions. This feature is also
useful to reduce the rule compilation time under two specific patterns of configurations:
• Preventing packet drops while compiling large rules during high traffic rates.
• Reducing rule compilation time while updating a large number of similar rules.
Guidelines and Limitations
Context Mode Guidelines
Supported in single and multiple context mode.
Web Server:
209.165.200.225
Inside
HR
Eng
Outside
Static NAT
209.165.201.410.1.1.14
Static NAT
209.165.201.610.1.2.67
Static NAT
209.165.201.810.1.3.34
ACL Outbound
Permit HTTP from 10.1.1.14, 10.1.2.67,
and 10.1.3.34 to 209.165.200.225
Deny all others
ACL Inbound
Permit from any to any
ACL Inbound
Permit from any to any
ACL Inbound
Permit from any to any
ASA
333823