Default settings, Configuring extended access lists – Cisco ASA 5505 User Manual

Page 388

Advertising

15-2

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 15 Adding an Extended Access List

Default Settings

Firewall Mode Guidelines

Supported only in routed and transparent firewall modes.

IPv6 Guidelines

IPv6 is supported.

Additional Guidelines and Limitations

The following guidelines and limitations apply to creating an extended access list:

•

Enter the access list name in uppercase letters so that the name is easy to see in the configuration.
You might want to name the access list for the interface (for example, INSIDE), or you can name it
for the purpose for which it is created (for example, NO_NAT or VPN).

•

Typically, you identify the ip keyword for the protocol, but other protocols are accepted. For a list
of protocol names, see the

“Protocols and Applications” section on page B-11

•

You can specify the source and destination ports only for the TCP or UDP protocols. For a list of
permitted keywords and well-known port assignments, see the

“TCP and UDP Ports” section on

page B-11

. DNS, Discard, Echo, Ident, NTP, RPC, SUNRPC, and Talk each require one definition

for TCP and one for UDP. TACACS+ requires one definition for port 49 on TCP.

•

When you specify a network mask, the method is different from the Cisco IOS software access-list
command. The ASA uses a network mask (for example, 255.255.255.0 for a Class C mask). The
Cisco IOS mask uses wildcard bits (for example, 0.0.0.255).

Default Settings

Table 15-1

lists the default settings for extended access list parameters.

Configuring Extended Access Lists

This section shows how to add and delete an access control entry and access list, and it includes the
following topics:

•

Adding an Extended Access List, page 15-3

•

Adding Remarks to Access Lists, page 15-5

Table 15-1

Default Extended Access List Parameters

Parameters

Default

ACE logging

ACE logging generates system log message
106023 for denied packets. A deny ACE must be
present to log denied packets.

log

When the log keyword is specified, the default
level for system log message 106100 is 6
(informational), and the default interval is 300
seconds.

Advertising

This manual is related to the following products:

ASA 5585-X, ASA 5555-X, ASA 5545-X, ASA 5525-X, ASA 5515-X, ASA 5512-X, ASA 5580, ASA 5550, ASA 5540, ASA 5520, ASA 5510, ASA 5500 Series

Popular Brands

Popular manuals