Vpn Management Access (Extended); Controlling Network Access For Non-Ip Traffic (Ethertype) - Cisco Catalyst 6500 Series Configuration Manual
Catalyst 6500 series switch and
cisco 7600 series router firewall services
Hide thumbs
Also See for Catalyst 6500 Series:
- Software configuration manual (570 pages) ,
- Configuration note (212 pages) ,
- Installation manual (194 pages)
Table of Contents
Advertisement
Chapter 10
Controlling Network Access with Access Control Lists
NAT exemption statements also use ACLs, but you cannot specify the ports.
To use ACLs with NAT, perform the following tasks:
1.
2.
VPN Management Access (Extended)
You can use an extended ACL in VPN commands. See the following tasks for each method.
•
•
The FWSM only supports IPSec tunnels that terminate on the FWSM and that allow access to the FWSM
for management purposes; you cannot terminate a tunnel on the FWSM for traffic that goes through the
FWSM to another network.
Controlling Network Access for Non-IP Traffic (EtherType)
Transparent firewall mode only
You can configure an ACL that controls traffic based on its EtherType. The FWSM can control any
EtherType identified by a 16-bit hexadecimal number. EtherType ACLs support Ethernet V2 frames.
802.3-formatted frames are not handled by the ACL because they use a length field as opposed to a type
field. Bridge protocol data units (BPDUs), which are handled by the ACL, are the only exception: they
are SNAP-encapsulated, and the FWSM is designed to specifically handle BPDUs.
To control non-IP traffic, perform the following task:
•
OL-6392-01
Add the ACL using the
"Adding an Extended Access Control List" section on page
can contain only permit elements. Specify ports using the eq operator.
Use the ACL in the nat and static commands described in the following sections:
"Using Dynamic NAT and PAT" section on page 9-16
–
"Using Static NAT" section on page 9-26
–
"Using Static PAT" section on page 9-27
–
–
"Configuring Static Identity NAT" section on page 9-30
"Configuring NAT Exemption" section on page 9-31
–
To identify hosts allowed to connect to the FWSM over an IPSec site-to-site tunnel, perform the
following tasks:
Add the ACL using the
a.
Specify the FWSM address as the source address. Specify the remote address(es) for the
destination address.
Use the ACL in the crypto map match address command according to the
b.
Site-to-Site Tunnel" section on page
To identify the traffic that should be tunneled from a VPN client, perform the following tasks:
Add the ACL using the
a.
Specify the FWSM address as the source address, and the VPN pool addresses as the destination
addresses.
Then use the ACL in the vpngroup split-tunnel command according to the
b.
Client Access" section on page
Create and apply the ACL according to the
page
10-16.
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
"Adding an Extended Access Control List" section on page
11-9.
"Adding an Extended Access Control List" section on page
11-7.
"Adding an EtherType Access Control List" section on
Access Control List Overview
10-13. This ACL
10-13.
"Configuring a
10-13.
"Configuring VPN
10-5
Advertisement
Table of Contents
Troubleshooting
