Cisco ASA 5505 User Manual

Page 679

Advertising
background image

34-9

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 34 Configuring Access Rules

Configuration Examples for Permitting or Denying Network Access

Configuration Examples for Permitting or Denying Network
Access

This section includes typical configuration examples for permitting or denying network access.

The following example illustrates the commands required to enable access to an inside web server with
the IP address 209.165.201.12. (This IP address is the real address, not the visible on the outside
interface after NAT.)

hostname(config)# access-list ACL_OUT extended permit tcp any host 209.165.201.12 eq www

hostname(config)# access-group ACL_OUT in interface outside

The following example allows all hosts to communicate between the inside and hr networks but only
specific hosts to access the outside network:

hostname(config)# access-list ANY extended permit ip any any

hostname(config)# access-list OUT extended permit ip host 209.168.200.3 any

hostname(config)# access-list OUT extended permit ip host 209.168.200.4 any

hostname(config)# access-group ANY in interface inside

hostname(config)# access-group ANY in interface hr

hostname(config)# access-group OUT out interface outside

For example, the following sample access list allows common EtherTypes originating on the inside
interface:

hostname(config)# access-list ETHER ethertype permit ipx

hostname(config)# access-list ETHER ethertype permit mpls-unicast

hostname(config)# access-group ETHER in interface inside

The following example allows some EtherTypes through the ASA, but it denies all others:

hostname(config)# access-list ETHER ethertype permit 0x1234

hostname(config)# access-list ETHER ethertype permit mpls-unicast

hostname(config)# access-group ETHER in interface inside

hostname(config)# access-group ETHER in interface outside

The following example denies traffic with EtherType 0x1256 but allows all others on both interfaces:

hostname(config)# access-list nonIP ethertype deny 1256

hostname(config)# access-list nonIP ethertype permit any

hostname(config)# access-group ETHER in interface inside

hostname(config)# access-group ETHER in interface outside

The following example uses object groups to permit specific traffic on the inside interface:

!

hostname (config)# object-group service myaclog

hostname (config-service)# service-object tcp source range 2000 3000

hostname (config-service)# service-object tcp source range 3000 3010 destinatio$

hostname (config-service)# service-object ipsec

hostname (config-service)# service-object udp destination range 1002 1006

hostname (config-service)# service-object icmp echo

hostname(config)# access-list outsideacl extended permit object-group myaclog interface

inside any

Advertising
This manual is related to the following products:

ASA 5585-X, ASA 5555-X, ASA 5545-X, ASA 5525-X, ASA 5515-X, ASA 5512-X, ASA 5580, ASA 5550, ASA 5540, ASA 5520, ASA 5510, ASA 5500 Series

Popular Brands
Popular manuals