Information about access lists, Access list types, C h a p t e r – Cisco ASA 5505 User Manual

Page 383

Advertising
background image

C H A P T E R

14-1

Cisco ASA 5500 Series Configuration Guide using the CLI

14

Information About Access Lists

Cisco ASAs provide basic traffic filtering capabilities with access lists, which control access in your
network by preventing certain traffic from entering or exiting. This chapter describes access lists and
shows how to add them to your network configuration.

Access lists are made up of one or more access control entries (ACEs). An ACE is a single entry in an
access list that specifies a permit or deny rule (to forward or drop the packet) and is applied to a protocol,
to a source and destination IP address or network, and, optionally, to the source and destination ports.

Access lists can be configured for all routed and network protocols (IP, AppleTalk, and so on) to filter
the packets of those protocols as the packets pass through a router.

Access lists are used in a variety of features. If your feature uses Modular Policy Framework, you can
use an access list to identify traffic within a traffic class map. For more information on Modular Policy
Framework, see

Chapter 32, “Configuring a Service Policy Using the Modular Policy Framework.”

This chapter includes the following sections:

Access List Types, page 14-1

Access Control Entry Order, page 14-2

Access Control Implicit Deny, page 14-3

IP Addresses Used for Access Lists When You Use NAT, page 14-3

Where to Go Next, page 14-3

Access List Types

The ASA uses five types of access control lists:

Standard access lists—Identify the destination IP addresses of OSPF routes and can be used in a
route map for OSPF redistribution. Standard access lists cannot be applied to interfaces to control
traffic. For more information, see

Chapter 17, “Adding a Standard Access List.”

Extended access lists—Use one or more access control entries (ACE) in which you can specify the
line number to insert the ACE, the source and destination addresses, and, depending upon the ACE
type, the protocol, the ports (for TCP or UDP), or the IPCMP type (for ICMP). For more
information, see

Chapter 15, “Adding an Extended Access List.”

EtherType access lists—Use one or more ACEs that specify an EtherType. For more information,
see

Chapter 16, “Adding an EtherType Access List.”

Webtype access lists—Used in a configuration that supports filtering for clientless SSL VPN. For
more information, see

Chapter 18, “Adding a Webtype Access List.”

Advertising
This manual is related to the following products:

ASA 5585-X, ASA 5555-X, ASA 5545-X, ASA 5525-X, ASA 5515-X, ASA 5512-X, ASA 5580, ASA 5550, ASA 5540, ASA 5520, ASA 5510, ASA 5500 Series

Popular Brands
Popular manuals