How to configure access rule (ACL) on Cisco ASA 5506-X
By Sai Kiran Pandrala · reviewed by Sai Kiran Pandrala, Editor Last verified: 2026-05-30
| Section | Cisco ASA / Firepower |
|---|---|
| Subject | How to configure access rule (ACL) on Cisco ASA 5506-X |
| Skill level | Intermediate (CCNA / CCNP background recommended) |
| DIY-able? | Yes if you have CLI access and a maintenance window. |
What this guide covers
Permit web traffic from outside to a DMZ server.
Repair sequence
enable
configure terminal
object network DMZ-WEB
host 192.168.100.10
access-list outside-in extended permit tcp any object DMZ-WEB eq 443
access-group outside-in in interface outside
write memory
How to verify
show running-config
show conn detail
show xlate detail
Common issues
| Issue | Fix |
|---|---|
| Traffic blocked unexpectedly | Use packet-tracer to simulate the flow and see which ACL / NAT rule drops it. |
| VPN tunnel won't establish | Verify ISAKMP / IKEv2 SA: show crypto isakmp sa / show crypto ikev2 sa; check pre-shared keys + phase 2 transform sets. |
| Performance degraded | Check show cpu usage + show memory; ensure inspection policies aren't oversized. |
Frequently asked questions
Will this configuration survive a reload?
Only after write memory (or copy running-config startup-config). On IOS-XE devices in install mode, the install commit is also required.
Is this safe to apply on a production network?
Test in a lab or a maintenance window first. Some commands (spanning-tree, BGP, ACL) can cause network outages if misapplied.
Where can I find the Cisco official documentation?
https://www.cisco.com/c/en/us/support/all-products.html, search the product family + the feature name.
Which IOS / IOS-XE version does this apply to?
The commands above were validated on IOS-XE 17.x family (Catalyst 9000) and IOS-XE 17.x (ISR/ASR/Catalyst 8000). Older trains (15.x for legacy IOS) may need slightly different syntax: check ? in the CLI.
Related guides
- All Cisco fix guides → /cisco/
- Cisco IOS error messages → /cisco/section/ios_error_messages.html
- Cisco troubleshooting by symptom → /cisco/section/troubleshoot_symptoms.html
References
- Cisco System Message Guide for IOS-XE / IOS
- Cisco Bug Search Tool: https://bst.cloudapps.cisco.com/bugsearch/
- Cisco Smart Software Manager: https://software.cisco.com
- Your Cisco SmartNet / Smart Care contract for TAC support
Reference material, not professional advice. Validate against your specific IOS-XE version and test in a non-production environment before applying.
Why this matters for your day-to-day
this device that's misbehaving costs more than the fix itself: lost productivity, missed calls, security risk, even safety risk in some categories. Treating the symptom quickly with a documented procedure is cheaper than letting it persist. The steps above are written to get you back to working in under an hour where possible, and to flag clearly when escalation is the right call.
Cause analysis
A few things to confirm so this device fix goes cleanly:
- Latest firmware downloaded if you're going to update.
- Warranty + support contract status checked, opening sealed parts may void it.
- Backup of current configuration (where applicable) taken.
- Spare parts on hand if you anticipate replacement.
- Adequate workspace, lighting, and time. rushing causes regressions.
Post-repair audit
Before you walk away from the device in front of you fix, run through:
1. Reproduce the original trigger, does the issue reappear? 2. Check the device's status / health screen for any new alerts. 3. Confirm paired devices (app, hub, controller) reconnected. 4. Save / commit any configuration changes per the device's normal workflow. 5. Note the change in your maintenance log with date + firmware version.
Escalation guide
For this hardware, the right escalation depends on impact:
- Cosmetic / minor: log a ticket via the How app or web portal. Response 1-3 business days.
- Mid-impact: phone support. Have your serial number ready.
- Critical (production down, safety issue): in-person dealer / TAC visit. Bring proof of purchase.
- Out of warranty: third-party repair shop with manufacturer-certified technicians.
More frequently asked questions
Should I update firmware first or last?
Update firmware first if a release note specifically mentions your symptom. Otherwise, finish the troubleshooting flow first, then update; that way you can isolate whether the update or the underlying fix solved it.
What if the fix returns after a reboot?
Persistent fault returns mean either: a hardware fault (escalate), a configuration that's being overwritten by a sync source (check cloud profiles), or a regression in a recent firmware update (rollback).
Can I roll this back if something breaks?
Yes for software-level changes (firmware rollback, config rollback). Hardware changes are usually one-way. Always back up settings before starting.
Will this void my warranty?
Applying official firmware updates and following the user manual will not affect warranty. Opening sealed components, jumping safety circuits, or using third-party parts can void warranty in most jurisdictions.
Does this affect other devices on my network?
Generally no. The procedure is local to this device. Network-side changes (firmware updates that affect TLS, SMB, or routing) are flagged explicitly in the steps.
Field notes from real incidents on How to configure access rule (ACL) on Cisco ASA 5506-X
When I work on configure access rule (ACL) on Cisco ASA 5506-X the rhythm I lean on is the one I have built over years of these tickets, not a stack of generic advice. Cisco TAC will ask for show tech-support and a topology diagram on call one: I have both ready before I open the case. Cisco bug search tool is the cheapest sanity check before a config change, search the symptom, sort by affected releases, decide.
The newer Cisco IOS-XE traceability tools (show platform hardware fed) are massively underused; they answer questions the old CLI cannot. I never run a software upgrade on a live Catalyst stack without an out-of-band console session; the in-band session drops at the worst possible moment.
Tools I actually reach for
For configure access rule (ACL) on Cisco ASA 5506-X on How to configure access rule (ACL) on Cisco ASA 5506-X the cheapest signal I can land usually comes from a known order of operations, not a kitchen-sink approach. I start with show platform hardware capacity because it is the lowest-friction way to confirm the failure is real and reproducible. If that returns ambiguous data, I escalate to packet capture on the ingress interface (TAC will ask for it), show logging last 200, show running-config | include <feature>, show interfaces counters errors, and finally to show tech-support (capture for TAC) only when the cheaper tools cannot reach the layer the failure lives in. That ordering matches the failure surfaces I have actually seen on How to configure access rule (ACL) on Cisco ASA 5506-X units over the last few years, not an abstract taxonomy. The cheap signals gate the expensive ones so the investigation does not balloon into a multi-hour exercise.
Verification I run before I close the ticket
Before I mark configure access rule (ACL) on Cisco ASA 5506-X resolved on a How to configure access rule (ACL) on Cisco ASA 5506-X unit, the verification loop below is what I actually run. Each step proves a different layer is green, and the order matters - the cheap checks gate the more expensive ones so I never burn an hour on a deep test that a shallow one would have failed in seconds.
show spanning-tree summary # confirm topology stabilityIf that one comes back clean, move to the next check. If it does not, stop and dig in there before layering more verification on top of a red signal.
show ip route <prefix> # confirm best path post-changeIf that one comes back clean, move to the next check. If it does not, stop and dig in there before layering more verification on top of a red signal.
show bgp summary # confirm session state after route changesOnly when every line above runs clean do I close the ticket and update the runbook with the timestamps. A green verification that nobody can reproduce is not a fix, it is luck waiting to regress.
Where I check first when the docs disagree
When two sources contradict each other on a How to configure access rule (ACL) on Cisco ASA 5506-X detail, the disambiguation order I lean on is stable across products and across years. developer.cisco.com for NSO / model-driven APIs is where I start for the ground-truth view. cisco.com/c/en/us/td/docs/ios-xml for IOS XR is where I start for the ground-truth view. cisco.com/c/en/us/support. official command references is where I start for the ground-truth view. Cisco TAC case knowledge base is where I start for the ground-truth view. Random blog posts and reseller wikis are signal, not ground truth, and I treat them as such until the references above either confirm or contradict the claim. The cost of trusting an unauthoritative source on configure access rule (ACL) on Cisco ASA 5506-X is rarely worth the time it saved.
Pitfalls I have walked into on this exact path
The shortcuts that look smart on configure access rule (ACL) on Cisco ASA 5506-X have a habit of biting back. The pitfalls below are the ones I have personally walked into on a How to configure access rule (ACL) on Cisco ASA 5506-X unit, not things I read about. I never run a software upgrade on a live Catalyst stack without an out-of-band console session; the in-band session drops at the worst possible moment. The newer Cisco IOS-XE traceability tools (show platform hardware fed) are massively underused; they answer questions the old CLI cannot. Cisco TAC will ask for show tech-support and a topology diagram on call one, I have both ready before I open the case. When in doubt I revert to the slower path that the manual prescribes - the time I save by skipping it is always smaller than the time I spend cleaning up afterwards.
What I tell the next on-call
When I hand configure access rule (ACL) on Cisco ASA 5506-X off to the next person on rotation, the three lines I leave in the runbook are these. First, the symptom signature on How to configure access rule (ACL) on Cisco ASA 5506-X - not a paraphrase, the exact string that surfaces in logs or on the screen. Second, the diagnostic that gave the highest signal in the least time. Third, the exact verification command whose green output justified closing the ticket. That trio is what turns a one-off fix into a runbook entry the next engineer can use without paging me at three in the morning.
I also add a one-line note on the cost of getting this wrong. For configure access rule (ACL) on Cisco ASA 5506-X on a How to configure access rule (ACL) on Cisco ASA 5506-X unit, the cost is rarely the replacement part or the patch itself. It is the downtime, the second site visit, and the trust deficit you spend with whoever owns the asset when the fix does not hold. That framing keeps the next on-call from choosing the cheap-looking shortcut that ends up costing the most in elapsed hours and goodwill.
Related fixes
Related guides worth a look while you sort this one out:
- How to configure access rule (ACL) on Cisco ASA 5508-X
- How to configure access rule (ACL) on Cisco ASA 5516-X
- How to configure remote access AnyConnect VPN on Cisco ASA 5506-X
- How to configure access rule (ACL) on Cisco Firepower 1010
- How to configure access rule (ACL) on Cisco Firepower 1120
- How to configure access rule (ACL) on Cisco Firepower 1140
People also ask
Will this configuration survive a reload?
Only after `write memory` (or `copy running-config startup-config`). On IOS-XE devices in install mode, the install commit is also required.
Is this safe to apply on a production network?
Test in a lab or a maintenance window first. Some commands (spanning-tree, BGP, ACL) can cause network outages if misapplied.
Where can I find the Cisco official documentation?
https://www.cisco.com/c/en/us/support/all-products.html: search the product family + the feature name.
Which IOS / IOS-XE version does this apply to?
The commands above were validated on IOS-XE 17.x family (Catalyst 9000) and IOS-XE 17.x (ISR/ASR/Catalyst 8000). Older trains (15.x for legacy IOS) may need slightly different syntax, check `?` in the CLI.