You can configure an interface access rules in the CLI by using the access-list command. ACLs are made up of one or more access control entries (ACE), each represented by one line in the ACL, that specifying a permit or deny rule, or remark.
ciscoasa(config)# access-list ?
configure mode commands/options:
WORD < 241 char Access list identifier
alert-interval Specify the alert interval for generating syslog message
106001 which alerts that the system has reached a deny flow
maximum. If not specified, the default value is 300 sec
deny-flow-max Specify the maximum number of concurrent deny flows that can
be created. If not specified, the default value is 4096
ciscoasa(config)# access-list INSIDE-IN ?
configure mode commands/options:
deny Specify packets to reject
extended Configure access policy for IP traffic through the system
line Use this to specify line number at which ACE should be entered
permit Specify packets to forward
remark Specify a comment (remark) for the access-list after this keyword
rename rename an existing access-list
standard Use this to configure policy having destination host or network
only
webtype Use this to configure WebVPN related policy
ciscoasa(config)# access-list INSIDE-IN line 1 ?
configure mode commands/options:
deny Specify packets to reject
extended Configure access policy for IP traffic through the system
permit Specify packets to forward
remark Specify a comment (remark) for the access-list after this keyword
ciscoasa(config)# access-list INSIDE-IN line 1 extended ?
configure mode commands/options:
deny Specify packets to reject
permit Specify packets to forward
ciscoasa(config)# access-list INSIDE-IN line 1 extended permit ?
configure mode commands/options:
<0-255> Enter protocol number (0 - 255)
ah
eigrp
esp
gre
icmp
icmp6
igmp
igrp
ip
ipinip
ipsec
nos
object Specify a service object after this keyword
object-group Specify a service or protocol object-group after this keyword
ospf
pcp
pim
pptp
snp
tcp
udp
ciscoasa(config)# access-list INSIDE-IN line 1 extended permit tcp ?
configure mode commands/options:
A.B.C.D Source IP address
any Abbreviation for source address and mask of 0.0.0.0
0.0.0.0
host Use this keyword to configure source host
interface Use interface address as source address
object Keyword to enter source object name
object-group Network object-group for source address
object-group-user User object-group for source address
user User for source address [<domain_nickname>\]<user_name>
user-group User-group for source address
[<domain_nickname>\\]<user_group_name>
ciscoasa(config)# access-list INSIDE-IN line 1 extended permit tcp 10.0.0.0 ?
configure mode commands/options:
A.B.C.D Netmask for source IP address
ciscoasa(config)# access-list INSIDE-IN line 1 extended permit tcp 10.0.0.0 255.255.255.0 ?
configure mode commands/options:
A.B.C.D Destination IP address
any Abbreviation for destination address and mask of 0.0.0.0
0.0.0.0
eq Port equal to operator
gt Port greater than operator
host Use this keyword to configure destination host
interface Use interface address as destination address
lt Port less than operator
neq Port not equal to operator
object Keyword to enter destination object name
object-group Optional service object-group name for source port or network
object-group for destination address
range Port range operator
ciscoasa(config)# access-list INSIDE-IN line 1 extended permit tcp 10.0.0.0 255.255.255.0 any ?
configure mode commands/options:
eq Port equal to operator
gt Port greater than operator
inactive Keyword for disabling an ACL element
log Keyword for enabling log option on this ACL element
lt Port less than operator
neq Port not equal to operator
object-group Optional service object-group for destination port
range Port range operator
time-range Keyword for attaching time-range option to this ACL element
<cr>
ciscoasa(config)# access-list INSIDE-IN line 1 extended permit tcp 10.0.0.0 255.255.255.0 any eq ?
configure mode commands/options:
<1-65535> Enter port number (1 - 65535)
aol
bgp
chargen
cifs
citrix-ica
cmd
ctiqbe
daytime
discard
domain
echo
exec
finger
ftp
ftp-data
gopher
h323
hostname
http
https
ident
imap4
ciscoasa(config)# access-list INSIDE-IN line 1 extended permit tcp 10.0.0.0 255.255.255.0 any eq http
ciscoasa(config)# access-list OUTSIDE-IN line 2 remark EXPLICIT DENY ALL RULE
ciscoasa(config)# access-list OUTSIDE-IN line 3 extended deny ip any any ?
configure mode commands/options:
inactive Keyword for disabling an ACL element
log Keyword for enabling log option on this ACL element
time-range Keyword for attaching time-range option to this ACL element
<cr>
ciscoasa(config)# access-list OUTSIDE-IN line 3 extended deny ip any any log ?
configure mode commands/options:
<0-7> Enter syslog level (0 - 7)
Default Keyword for restoring default log behavior
alerts Immediate action needed (severity=1)
critical Critical conditions (severity=2)
debugging Debugging messages (severity=7)
disable Disable log option on this ACL element, (no log at all)
emergencies System is unusable (severity=0)
errors Error conditions (severity=3)
inactive Keyword for disabling an ACL element
informational Informational messages (severity=6)
interval Configure log interval, default value is 300 sec
notifications Normal but significant conditions (severity=5)
time-range Keyword for attaching time-range option to this ACL element
warnings Warning conditions (severity=4)
<cr>
ciscoasa(config)# access-list OUTSIDE-IN line 3 extended deny ip any any log 4 ?
configure mode commands/options:
inactive Keyword for disabling an ACL element
interval Configure log interval, default value is 300 sec
time-range Keyword for attaching time-range option to this ACL element
<cr>
ciscoasa(config)# access-list OUTSIDE-IN line 3 extended deny ip any any log 4 interval 300
ciscoasa(config)# object network TIME.NIST.GOV
ciscoasa(config-network-object)# host 192.43.244.18
ciscoasa(config-network-object)# exit
ciscoasa(config)# access-list GLOBAL-ACL line 1 extended permit udp any object TIME.NIST.GOV eq ntp log ?
configure mode commands/options:
<0-7> Enter syslog level (0 - 7)
Default Keyword for restoring default log behavior
alerts Immediate action needed (severity=1)
critical Critical conditions (severity=2)
debugging Debugging messages (severity=7)
disable Disable log option on this ACL element, (no log at all)
emergencies System is unusable (severity=0)
errors Error conditions (severity=3)
inactive Keyword for disabling an ACL element
informational Informational messages (severity=6)
interval Configure log interval, default value is 300 sec
notifications Normal but significant conditions (severity=5)
time-range Keyword for attaching time-range option to this ACL element
warnings Warning conditions (severity=4)
<cr>
ciscoasa(config)# access-list GLOBAL-ACL line 1 extended permit udp any object TIME.NIST.GOV eq ntp log disable
ciscoasa(config)# access-group ?
configure mode commands/options:
WORD Specify the name of an access-list
ciscoasa(config)# access-group INSIDE-IN ?
configure mode commands/options:
global For traffic on all interfaces
in For input traffic
out For output traffic
<cr>
ciscoasa(config)# access-group INSIDE-IN in ?
configure mode commands/options:
interface Keyword to specify an interface
ciscoasa(config)# access-group INSIDE-IN in interface ?
configure mode commands/options:
Current available interface(s):
dmz Name of interface GigabitEthernet1
inside Name of interface GigabitEthernet0
outside Name of interface GigabitEthernet2
ciscoasa(config)# access-group INSIDE-IN in interface inside
ciscoasa(config)# access-group OUTSIDE-IN in interface outside
ciscoasa(config)# access-group GLOBAL-ACL global
The ASDM Access Rules table contains several features that enable you to quickly and efficiently manage it.
From the menu, you can choose to add, insert, edit or delete an access rule. You can also easily copy (clone) a rule, for instance, when you add another web server. Just clone the existing web server rule, and then edit it to change the destination IP address.
You can change the order of rules, using either the cut/copy and paste options or the move up/down arrows. Remember that access rules are evaluated in order and positioning of the rule is critical to its functionality.
You can also clear the hit counter for a specific rule (right-click menu) or all access rules (button on the toolbar), which is commonly required during troubleshooting. You can also show log messages generated by a chosen rule (right-click menu) or by all access rules (button on the toolbar). Additionally from the right-click menu, you can export the contents of the Access Rules table to a comma-separated value (CSV) format file.
You can edit a rule in place (rather than opening the Edit Access Rule dialog box) and alter the contents within the Access Rules window. Rules can also be temporarily disabled and if you want to permanently remove a rule, simply delete it.
No comments:
Post a Comment