6-10
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 6 Configuring Access Rules
Monitoring Access Rules
Monitoring Access Rules
To monitor network access, enter the following command:
Configuration Examples for Permitting or Denying Network
Access
This section includes typical configuration examples for permitting or denying network access.
The following example adds a network object for inside server 1, performs static NAT for the server, and
enables access to from the outside for inside server 1.
ciscoasa(config)# object network inside-server1
ciscoasa(config)# host 10.1.1.1
ciscoasa(config)# nat (inside,outside) static 209.165.201.12
ciscoasa(config)# access-list outside_access extended permit tcp any object inside-server1
eq www
ciscoasa(config)# access-group outside_access in interface outside
The following example allows all hosts to communicate between the inside and hr networks but only
specific hosts to access the outside network:
ciscoasa(config)# access-list ANY extended permit ip any any
ciscoasa(config)# access-list OUT extended permit ip host 209.168.200.3 any
ciscoasa(config)# access-list OUT extended permit ip host 209.168.200.4 any
ciscoasa(config)# access-group ANY in interface inside
ciscoasa(config)# access-group ANY in interface hr
ciscoasa(config)# access-group OUT out interface outside
For example, the following sample ACL allows common EtherTypes originating on the inside interface:
ciscoasa(config)# access-list ETHER ethertype permit ipx
ciscoasa(config)# access-list ETHER ethertype permit mpls-unicast
ciscoasa(config)# access-group ETHER in interface inside
The following example allows some EtherTypes through the ASA, but it denies all others:
ciscoasa(config)# access-list ETHER ethertype permit 0x1234
ciscoasa(config)# access-list ETHER ethertype permit mpls-unicast
ciscoasa(config)# access-group ETHER in interface inside
ciscoasa(config)# access-group ETHER in interface outside
The following example denies traffic with EtherType 0x1256 but allows all others on both interfaces:
ciscoasa(config)# access-list nonIP ethertype deny 1256
ciscoasa(config)# access-list nonIP ethertype permit any
ciscoasa(config)# access-group ETHER in interface inside
ciscoasa(config)# access-group ETHER in interface outside
The following example uses object groups to permit specific traffic on the inside interface:
!
hostname (config)# object-group service myaclog
Command Purpose
show running-config access-group
Displays the current ACL bound to the interfaces.