Cisco ASA Series Cli Configuration Manual page 556
Software version 9.0 for the services module
Hide thumbs
Also See for ASA Series:
- Configuration manual (429 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
Access Control Entry Order
Table 1-1
Table 1-1
Access List Types and Common Uses
Access List Use
Control network access for IP traffic
(routed and transparent mode)
Identify traffic for AAA rules
Control network access for IP traffic for a
given user
Identify addresses for NAT (policy NAT
and NAT exemption)
Establish VPN access
Identify traffic in a traffic class map for
Modular Policy Framework
For transparent firewall mode, control
network access for non-IP traffic
Identify OSPF route redistribution
Filtering for WebVPN
Control network access for IPV6
networks
Access Control Entry Order
An access list is made up of one or more access control entries (ACEs). Each ACE that you enter for a
given access list name is appended to the end of the access list. Depending on the access list type, you
can specify the source and destination addresses, the protocol, the ports (for TCP or UDP), the ICMP
type (for ICMP), or the EtherType.
The order of ACEs is important. When the ASA decides whether to forward or to drop a packet, the ASA
tests the packet against each ACE in the order in which the entries are listed. After a match is found, no
more ACEs are checked. For example, if you create an ACE at the beginning of an access list that
explicitly permits all traffic, no further statements are checked, and the packet is forwarded.
Cisco ASA Series CLI Configuration Guide
1-2
lists the types of access lists and some common uses for them.
Access List Type
Extended
Extended
Extended,
downloaded from a
AAA server per user
Extended
Extended
Extended
EtherType
EtherType
Standard
Webtype
IPv6
Chapter 1
Description
The ASA does not allow any traffic from a lower security
interface to a higher security interface unless it is
explicitly permitted by an extended access list.
Note
To access the ASA interface for management
access, you do not also need an access list
allowing the host IP address. You only need to
configure management access according to
Chapter 1, "Configuring Management Access."
AAA rules use access lists to identify traffic.
You can configure the RADIUS server to download a
dynamic access list to be applied to the user, or the server
can send the name of an access list that you already
configured on the ASA.
Policy NAT lets you identify local traffic for address
translation by specifying the source and destination
addresses in an extended access list.
You can use an extended access list in VPN commands.
Access lists can be used to identify traffic in a class map,
which is used for features that support Modular Policy
Framework. Features that support Modular Policy
Framework include TCP and general connection settings,
and inspection.
You can configure an access list that controls traffic based
on its EtherType.
Standard access lists include only the destination address.
You can use a standard access list to control the
redistribution of OSPF routes.
You can configure a Webtype access list to filter URLs.
You can add and apply access lists to control traffic in
IPv6 networks.
Information About Access Lists
Hide quick links:
Advertisement
Chapters
Table of Contents
Troubleshooting
