Cisco ASA 5506-X Configuration Manual page 40
Cli
Hide thumbs
Also See for ASA 5506-X:
- Installation manual (46 pages) ,
- Hardware installation manual (26 pages) ,
- Quick start manual (14 pages)
Advertisement
Controlling Network Access
For transparent mode, the following types of traffic are allowed through by default:
•
•
•
For other traffic, you need to use either an extended access rule (IPv4 and IPv6) or an EtherType rule
(non-IP).
Implicit Deny
ACLs have an implicit deny at the end of the list, so unless you explicitly permit it, traffic cannot pass.
For example, if you want to allow all users to access a network through the ASA except for particular
addresses, then you need to deny the particular addresses and then permit all others.
For EtherType ACLs, the implicit deny at the end of the ACL does not affect IP traffic or ARPs; for
example, if you allow EtherType 8037, the implicit deny at the end of the ACL does not now block any
IP traffic that you previously allowed with an extended ACL (or implicitly allowed from a high security
interface to a low security interface). However, if you explicitly deny all traffic with an EtherType rule,
then IP and ARP traffic is denied; only physical protocol traffic, such as auto-negotiation, is still
allowed.
If you configure a global access rule, then the implicit deny comes after the global rule is processed. See
the following order of operations:
1.
2.
3.
NAT and Access Rules
Access rules always use the real IP addresses when determining an access rule match, even if you
configure NAT. For example, if you configure NAT for an inside server, 10.1.1.5, so that it has a publicly
routable IP address on the outside, 209.165.201.5, then the access rule to allow the outside traffic to
access the inside server needs to reference the server's real IP address (10.1.1.5), and not the mapped
address (209.165.201.5).
Extended Access Rules
This section describes information about extended access rules.
•
•
•
Cisco ASA Series Firewall CLI Configuration Guide
3-4
Unicast IPv4 and IPv6 traffic from a higher security interface to a lower security interface.
ARPs in both directions. (You can control ARP traffic using ARP inspection, but you cannot control
it by access rule.)
BPDUs in both directions.
Interface access rule.
Global access rule.
Implicit deny.
Extended Access Rules for Returning Traffic, page 3-5
Allowing Broadcast and Multicast Traffic through the Transparent Firewall Using Access Rules,
page 3-5
Management Access Rules, page 3-5
Chapter 3
Access Rules
- Quick Links:
- Table of Contents
Hide quick links:
Advertisement
