Monitoring access rules – Cisco ASA 5505 User Manual

Page 678

Advertising
background image

34-8

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 34 Configuring Access Rules

Monitoring Access Rules

Detailed Steps

Examples

The following example shows how to use the access-group command:

hostname(config)# access-list acl_out permit tcp any host 209.165.201.3 eq 80

hostname(config)# access-group acl_out in interface outside

The access-list command lets any host access the global address using port 80. The access-group
command specifies that the access-list command applies to traffic entering the outside interface.

Monitoring Access Rules

To monitor network access, enter the following command:

Command

Purpose

access-group

access_list

{{in | out} interface interface_name

[per-user-override | control-plane] |

global

}

Example:

hostname(config)# access-group acl_out in

interface outside

Binds an access list to an interface or applies it globally.

Specify the extended, EtherType, or IPv6 access list name. You can
configure one access-group command per access list type per interface.
You cannot reference empty access lists or access lists that contain only a
remark.

For an interface-specific rule:

The in keyword applies the access list to inbound traffic. The out
keyword applies the access list to the outbound traffic.

Specify the interface name.

The per-user-override keyword (for inbound access lists only) allows
dynamic user access lists that are downloaded for user authorization to
override the access list assigned to the interface. For example, if the
interface access list denies all traffic from 10.0.0.0, but the dynamic
access list permits all traffic from 10.0.0.0, then the dynamic access
list overrides the interface access list for that user. See the

“Configuring RADIUS Authorization” section on page 38-14

for more

information about per-user access lists. See also the

“Per-User Access

List Guidelines” section on page 34-7

.

The control-plane keyword specifies if the rule is for to-the-box
traffic.

For a global rule, specify the global keyword to apply the access list to
the inbound direction of all interfaces.

Command

Purpose

show running-config access-group

Displays the current access list bound to the
interfaces.

Advertising
This manual is related to the following products:

ASA 5585-X, ASA 5555-X, ASA 5545-X, ASA 5525-X, ASA 5515-X, ASA 5512-X, ASA 5580, ASA 5550, ASA 5540, ASA 5520, ASA 5510, ASA 5500 Series

Popular Brands
Popular manuals