Access List Types; Access Control Entry Order - Cisco PIX 500 Series Configuration Manual
Security appliance command line
Hide thumbs
Also See for PIX 500 Series:
- Administration manual (653 pages) ,
- Quick start manual (72 pages) ,
- User manual (60 pages)
Table of Contents
Advertisement
Access List Overview
Access List Types
Table 16-1
Table 16-1
Access List Types and Common Uses
Access List Use
Control network access for IP traffic
(routed and transparent mode)
Identify traffic for AAA rules
Control network access for IP traffic for a
given user
Identify addresses for NAT (policy NAT
and NAT exemption)
Establish VPN access
Identify traffic in a traffic class map for
Modular Policy Framework
For transparent firewall mode, control
network access for non-IP traffic
Identify OSPF route redistribution
Filtering for WebVPN
Access Control Entry Order
An access list is made up of one or more Access Control Entries. Depending on the access list type, you
can specify the source and destination addresses, the protocol, the ports (for TCP or UDP), the ICMP
type (for ICMP), or the EtherType.
Each ACE that you enter for a given access list name is appended to the end of the access list.
The order of ACEs is important. When the security appliance decides whether to forward or drop a
packet, the security appliance tests the packet against each ACE in the order in which the entries are
listed. After a match is found, no more ACEs are checked. For example, if you create an ACE at the
beginning of an access list that explicitly permits all traffic, no further statements are ever checked.
Cisco Security Appliance Command Line Configuration Guide
16-2
lists the types of access lists and some common uses for them.
Access List Type
Extended
Extended
Extended,
downloaded from a
AAA server per user
Extended
Extended
Extended
EtherType
EtherType
Standard
Webtype
Chapter 16
Description
The security appliance does not allow any traffic from a
lower security interface to a higher security interface
unless it is explicitly permitted by an extended access list.
To access the security appliance interface for
Note
management access, you do not also need an
access list allowing the host IP address. You only
need to configure management access according
to
Chapter 40, "Managing System Access."
AAA rules use access lists to identify traffic.
You can configure the RADIUS server to download a
dynamic access list to be applied to the user, or the server
can send the name of an access list that you already
configured on the security appliance.
Policy NAT lets you identify local traffic for address
translation by specifying the source and destination
addresses in an extended access list.
You can use an extended access list in VPN commands.
Access lists can be used to identify traffic in a class map,
which is used for features that support Modular Policy
Framework. Features that support Modular Policy
Framework include TCP and general connection settings,
and inspection.
You can configure an access list that controls traffic based
on its EtherType.
Standard access lists include only the destination address.
You can use a standard access list to control the
redistribution of OSPF routes.
You can configure a Webtype access list to filter URLs.
Identifying Traffic with Access Lists
OL-12172-03
Advertisement
Table of Contents
Troubleshooting
