- About This Guide
- Index
- Glossary
-
- Configuring IPSec and ISAKMP
- Configuring L2TP over IPSec
- Setting General VPN Parameters
- Configuring Tunnel Groups, Group Policies, and Users
- Configuring IP Addresses for VPN
- Configuring Remote Access VPNs
- Configuring Network Admission Control
- Configuring Easy VPN on the ASA 5505
- Configuring the PPPoE Client
- Configuring LAN-to-LAN VPNs
- Configuring Clientless SSL VPN
- Configuring AnyConnect VPN Client Connections
- Configuring AnyConnect Host Scan
Adding a Standard Access List
This chapter describes how to configure a standard access list and includes the following sections:
Information About Standard Access Lists
Standard access lists identify the destination IP addresses of OSPF routes and can be used in a route map for OSPF redistribution. Standard access lists cannot be applied to interfaces to control traffic.
Licensing Requirements for Standard Access Lists
The following table shows the licensing requirements for this feature:
|
|
---|---|
Guidelines and Limitations
This section includes the guidelines and limitations for this feature:
- Context Mode Guidelines
- Firewall Mode Guidelines
- IPv6 Guidelines
- Additional Guidelines and Limitations
Supported in single context mode only.
Supported in routed and transparent firewall modes.
Additional Guidelines and Limitations
The following guidelines and limitations apply for standard Access Lists:
- Standard ACLs identify the destination IP addresses (not source addresses) of OSPF routes and can be used in a route map for OSPF redistribution. Standard ACLs cannot be applied to interfaces to control traffic.
- To add additional ACEs at the end of the access list, enter another access-list command, specifying the same access list name.
- When used with the access-group command, the deny keyword does not allow a packet to traverse the ASA. By default, the ASA denies all packets on the originating interface unless you specifically permit access.
- When specifying a source, local, or destination address, use the following guidelines:
– Use a 32-bit quantity in four-part, dotted-decimal format.
– Use the keyword any as an abbreviation for an address and mask of 0.0.0.0.0.0.0.0.
– Use the host ip_address option as an abbreviation for a mask of 255.255.255.255.
Default Settings
Table 17-1 lists the default settings for standard Access List parameters.
Adding Standard Access Lists
This section includes the following topics:
- Task Flow for Configuring Extended Access Lists
- Adding a Standard Access ListAdding Remarks to Access Lists
Task Flow for Configuring Extended Access Lists
Use the following guidelines to create and implement an access list:
- Create an access list by adding an ACE and applying an access list name. See in the “Adding Standard Access Lists” section.
- Apply the access list to an interface. See the “Configuring Access Rules” section for more information.
Adding a Standard Access List
To add an access list to identify the destination IP addresses of OSPF routes, which can be used in a route map for OSPF redistribution, enter the following command:
Adding Remarks to Access Lists
You can include remarks about entries in any access list, including extended, EtherType, IPv6, standard, and Webtype access lists. The remarks make the access list easier to understand.
To add a remark after the last access-list command you entered, enter the following command:
Example
You can add a remark before each ACE, and the remarks appear in the access lists in these location. Entering a dash (-) at the beginning of a remark helps to set it apart from an ACE.
What to Do Next
Apply the access list to an interface. See the “Configuring Access Rules” section for more information.
Monitoring Access Lists
To monitor access lists, perform one of the following tasks:
|
|
---|---|
|
|
|
Configuration Examples for Standard Access Lists
The following example shows how to deny IP traffic through the ASA:
hostname(config)# access-list 77 standard deny
The following example shows how to permit IP traffic through the ASA if conditions are matched:
hostname(config)# access-list 77 standard permit
The following example shows how to specify a destination address:
hostname(config)# access-list 77 standard permit host 10.1.10.123
Feature History for Standard Access Lists
Table 17-2 lists each feature change and the platform release in which it was implemented.