Support User Manuals

Cisco Systems ASA 5555-X Network Router User Manual

Open as PDF

of 712

6-9

Cisco ASA Series Firewall CLI Configuration Guide

Chapter 6 Configuring Access Rules

Guidelines and Limitations

Detailed Steps

Examples

The following example shows how to use the access-group command:

hostname(config)# access-list outside_access permit tcp any host 209.165.201.3 eq 80

hostname(config)# access-group outside_access interface outside

The access-list command lets any host access the global address using port 80. The access-group

command specifies that the access-list command applies to traffic entering the outside interface.

Command Purpose

access-group access_list

{{in | out} interface interface_name

[per-user-override | control-plane] |

global}

Example:

ciscoasa(config)# access-group

outside_access in interface outside

Binds an ACL to an interface or applies it globally.

Specify the extended or EtherType ACL name. You can configure one

access-group command per ACL type per interface. You cannot reference

empty ACLs or ACLs that contain only a remark.

For an interface-specific rule:

• The in keyword applies the ACL to inbound traffic. The out keyword

applies the ACL to the outbound traffic.

• Specify the interface name.

• The per-user-override keyword (for inbound ACLs only) allows

dynamic user ACLs that are downloaded for user authorization to

override the ACL assigned to the interface. For example, if the

interface ACL denies all traffic from 10.0.0.0, but the dynamic ACL

permits all traffic from 10.0.0.0, then the dynamic ACL overrides the

interface ACL for that user.

By default, VPN remote access traffic is not matched against interface

ACLs. However, if you use the no sysopt connection permit-vpn

command to turn off this bypass, the behavior depends on whether

there is a vpn-filter applied in the group policy and whether you set

the per-user-override option:

–

No per-user-override, no vpn-filter—Traffic is matched against

the interface ACL.

–

No per-user-override, vpn-filter—Traffic is matched first

against the interface ACL, then against the VPN filter.

–

per-user-override, vpn-filter—Traffic is matched against the

VPN filter only.

See Per-User ACL Guidelines, page 6-8.

• The control-plane keyword specifies if the rule is for to-the-box

traffic.

For a global rule, specify the global keyword to apply the ACL to the

inbound direction of all interfaces.

previous next