Adding ipv6 access lists, Adding – Cisco ASA 5505 User Manual

19-5

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 19 Adding an IPv6 Access List

Configuring IPv6 Access Lists

Adding IPv6 Access Lists

You can add a regular IPv6 access list or add an IPv6 access list with TCP.

To add a regular IPv6 access list, enter the following command:

Command

Purpose

ipv6 access-list

id [line line-num] {deny

| permit} {protocol | object-group

protocol_obj_grp_id}

{source-ipv6-prefix/prefix-length | any |

host

source-ipv6-address | object-group

network_obj_grp_id} [operator {port [port]

| object-group service_obj_grp_id}]

{destination-ipv6-prefix/prefix-length |

any

| host destination-ipv6-address |

object-group

network_obj_grp_id}

[{operator port [port] | object-group

service_obj_grp_id}] [log [[level]

[interval secs] | disable | default]]

Example:

hostname(config)# ipv6 access-list acl_grp

permit tcp any host

3001:1::203:A0FF:FED6:162D

Configures an IPv6 access list.

The any keyword is an abbreviation for the IPv6 prefix ::/0, indicating any
IPv6 address.

The deny keyword denies access if the conditions are matched.

The destination-ipv6-address argument identifies the IPv6 address of the
host receiving the traffic.

The destination-ipv6-prefix argument identifies the IPv6 network address
where the traffic is destined.

The disable option disables syslog messaging.

The host keyword indicates that the address refers to a specific host.

The id keyword specifies the number of an access list.

The line line-num option specifies the line number for inserting the access
rule into the list. By default, the ACE is added to the end of the access list.

The network_obj_grp_id argument specifies existing network object group
identification.

The object-group option specifies an object group.

The operator option compares the source IP address or destination IP
address ports. For a list of permitted operands, see the

“Guidelines and

Limitations” section on page 19-2

.

The permit keyword permits access if the conditions are matched.

The port option specifies the port that you permit or deny access. You can
specify the port either by a number in the range of 0 to 65535 or by a literal
name if the protocol is tcp or udp. For a list of permitted TCP or UDP
literal names, see the

“Guidelines and Limitations” section on page 19-2

.

The prefix-length argument indicates how many of the high-order,
contiguous bits of the address comprise the IPv6 prefix.

The protocol argument specifies the name or number of an IP protocol.

The protocol_obj_grp_id indicates the existing protocol object group ID.

The service_obj_grp_id option specifies the object group.

The source-ipv6-address specifies the address of the host sending traffic.

The source-ipv6-prefix specifies the IPv6 address of traffic origin.