|
access-groupBinds the access list to an interface. (Configuration mode.)
Syntax Descriptionacl_IDThe name associated with a given access list.in interfaceFilter on inbound packets at the given interface.interface_nameThe name of the network interface.Usage GuidelinesThe access-group command binds an access list to an interface. The access list is applied to traffic inbound to an interface. If you enter the permit option in an access-list command statement, the firewall continues to process the packet. If you enter the deny option in an access-list command statement, firewall discards the packet and generates the following syslog message.%PIX-4-106019: IP packet from source_addr to destination_addr, protocol protocol received from interface interface_name deny by access-group acl_ID Always use the access-list command with the access-group command. The use of access-group command overrides the conduit and outbound command statements for the specified interface_name. The no access-group command unbinds the acl_ID from the interface interface_name. The show access-group command displays the current access list bound to the interfaces. The clear access-group command removes all entries from an access list indexed by acl_ID. If acl_ID is not specified, all access-list command statements are removed from the configuration. ExamplesThe following example shows use of the access-group command: static (inside,outside) 209.165.201.3 10.1.1.3 The static command statement provides a global address of 209.165.201.3 for the web server at 10.1.1.3. The access-list command statement lets any host access the global address using port 80. The access-group command specifies that the access-list command statement applies to traffic entering the outside interface. |