Cisco Systems ASA 5580 Manual De Usuario

6-4

Cisco ASA Series Firewall CLI Configuration Guide

Chapter 6 Configuring Access Rules

Information About Access Rules

Figure 6-1

Outbound ACL

See the following commands for this example:

ciscoasa(config)# access-list OUTSIDE extended permit tcp host 10.1.1.14

host 209.165.200.225 eq www

ciscoasa(config)# access-list OUTSIDE extended permit tcp host 10.1.2.67

host 209.165.200.225 eq www

ciscoasa(config)# access-list OUTSIDE extended permit tcp host 10.1.3.34

host 209.165.200.225 eq www

ciscoasa(config)# access-group OUTSIDE out interface outside

Transactional-Commit Model

The ASA rule-engine supports a new feature for rule updation called the Transactional-Commit Model.
When this feature is enabled, a rule update is applied after the rule compilation is completed; without
affecting the rule matching performance. With the legacy model, rule updates take effect immediately
but rule matching slows down during the rule compilation period. This feature is useful to prevent
potential packet drops during large compilation of rules under high traffic conditions. This feature is also
useful to reduce the rule compilation time under two specific patterns of configurations:

•

Preventing packet drops while compiling large rules during high traffic rates.

•

Reducing rule compilation time while updating a large number of similar rules.

Guidelines and Limitations

Context Mode Guidelines

Supported in single and multiple context mode.

Web Server:

209.165.200.225

Inside

Eng

Outside

Static NAT

209.165.201.4

10.1.1.14

Static NAT

209.165.201.6

10.1.2.67

Static NAT

209.165.201.8

10.1.3.34

ACL Outbound

Permit HTTP from

10.1.1.14

10.1.2.67

and

10.1.3.34

209.165.200.225

Deny all others

ACL Inbound

Permit from

any

ACL Inbound

Permit from

any

ACL Inbound

Permit from

any

ASA

3338