EasyManua.ls Logo

Cisco ASA 5508-X

Cisco ASA 5508-X
428 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Loading...
3-4
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 3 Access Control Lists
About ACLs
interface to a low security interface). However, if you explicitly deny all traffic with an EtherType ACE,
then IP and ARP traffic is denied; only physical protocol traffic, such as auto-negotiation, is still
allowed.
IP Addresses Used for Extended ACLs When You Use NAT
When you use NAT or PAT, you are translating addresses or ports, typically mapping between internal
and external addresses. If you need to create an extended ACL that applies to addresses or ports that have
been translated, you need to determine whether to use the real (untranslated) addresses or ports or the
mapped ones. The requirement differs by feature.
Using the real address and port means that if the NAT configuration changes, you do not need to change
the ACLs.
Features That Use Real IP Addresses
The following commands and features use real IP addresses in the ACLs, even if the address as seen on
an interface is the mapped address:
Access Rules (extended ACLs referenced by the access-group command)
Service Policy Rules (Modular Policy Framework match access-list command)
Botnet Traffic Filter traffic classification (dynamic-filter enable classify-list command)
AAA Rules (aaa ... match commands)
WCCP (wccp redirect-list group-list command)
For example, if you configure NAT for an inside server, 10.1.1.5, so that it has a publicly routable IP
address on the outside, 209.165.201.5, then the access rule to allow the outside traffic to access the inside
server needs to reference the server’s real IP address (10.1.1.5), and not the mapped address
(209.165.201.5).
hostname(config)# object network server1
hostname(config-network-object)# host 10.1.1.5
hostname(config-network-object)# nat (inside,outside) static 209.165.201.5
hostname(config)# access-list OUTSIDE extended permit tcp any host 10.1.1.5 eq www
hostname(config)# access-group OUTSIDE in interface outside
Features That Use Mapped IP Addresses
The following features use ACLs, but these ACLs use the mapped values as seen on an interface:
IPsec ACLs
capture command ACLs
Per-user ACLs
Routing protocol ACLs
All other feature ACLs.
Time-Based ACEs
You can apply time range objects to extended and webtype ACEs so that the rules are active for specific
time periods only. These types of rules let you differentiate between activity that is acceptable at certain
times of the day but that is unacceptable at other times. For example, you could provide additional

Table of Contents

Other manuals for Cisco ASA 5508-X

Related product manuals