Cisco ASA 5505 User Manual

15-6

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 15 Adding an Extended Access List

Configuration Examples for Extended Access Lists

Configuration Examples for Extended Access Lists (No Objects)

The following access list allows all hosts (on the interface to which you apply the access list) to go
through the ASAe:

hostname(config)# access-list ACL_IN extended permit ip any any

The following sample access list prevents hosts on 192.168.1.0/24 from accessing the 209.165.201.0/27
network. All other addresses are permitted.

hostname(config)# access-list ACL_IN extended deny tcp 192.168.1.0 255.255.255.0

209.165.201.0 255.255.255.224

hostname(config)# access-list ACL_IN extended permit ip any any

If you want to restrict access to selected hosts only, then enter a limited permit ACE. By default, all other
traffic is denied unless explicitly permitted.

hostname(config)# access-list ACL_IN extended permit ip 192.168.1.0 255.255.255.0

209.165.201.0 255.255.255.224

The following access list restricts all hosts (on the interface to which you apply the access list) from
accessing a website at address 209.165.201.29. All other traffic is allowed.

hostname(config)# access-list ACL_IN extended deny tcp any host 209.165.201.29 eq www

hostname(config)# access-list ACL_IN extended permit ip any any

The following access list that uses object groups restricts several hosts on the inside network from
accessing several web servers. All other traffic is allowed.

hostname(config-network)# access-list ACL_IN extended deny tcp object-group denied

object-group web eq www

hostname(config)# access-list ACL_IN extended permit ip any any

hostname(config)# access-group ACL_IN in interface inside

The following example temporarily disables an access list that permits traffic from one group of network
objects (A) to another group of network objects (B):

hostname(config)# access-list 104 permit ip host object-group A object-group B inactive

To implement a time-based access list, use the time-range command to define specific times of the day
and week. Then use the access-list extended command to bind the time range to an access list. The
following example binds an access list named “Sales” to a time range named “New_York_Minute.”

hostname(config)# access-list Sales line 1 extended deny tcp host 209.165.200.225 host

209.165.201.1 time-range New_York_Minute

Configuration Examples for Extended Access Lists (Using Objects)

The following normal access list that does not use object groups restricts several hosts on the inside
network from accessing several web servers. All other traffic is allowed.

hostname(config)# access-list ACL_IN extended deny tcp host 10.1.1.4 host 209.165.201.29

eq www

hostname(config)# access-list ACL_IN extended deny tcp host 10.1.1.78 host 209.165.201.29

eq www

hostname(config)# access-list ACL_IN extended deny tcp host 10.1.1.89 host 209.165.201.29

eq www

hostname(config)# access-list ACL_IN extended deny tcp host 10.1.1.4 host 209.165.201.16

eq www