C H A P T E R 13 Identifying Traffic With Access Lists; Access List Implicit Deny; Ip Addresses Used For Access Lists When You Use Nat - Cisco 7604 Configuration Manual

Chapter 13 Identifying Traffic with Access Lists

Access List Implicit Deny

Access lists have an implicit deny at the end of the list, so unless you explicitly permit it, traffic cannot
pass. For example, if you want to allow all users to access a network through the FWSM except for
particular addresses, then you need to deny the particular addresses and then permit all others.

IP Addresses Used for Access Lists When You Use NAT

When you use NAT, the IP addresses you specify for an access list depend on the interface to which the
access list is attached; you need to use addresses that are valid on the network connected to the interface.
This guideline applies for both inbound and outbound access groups: the direction does not determine
the address used, only the interface does.
For example, you want to apply an access list to the inbound direction of the inside interface. You
configure the FWSM to perform NAT on the inside source addresses when they access outside addresses.
Because the access list is applied to the inside interface, the source addresses are the original
untranslated addresses. Because the outside addresses are not translated, the destination address used in
the access list is the real address (see
Figure 13-1
Permit from
10.1.1.0/24
10.1.1.0/24
See the following commands for this example:
hostname(config)# access-list INSIDE extended permit ip 10.1.1.0 255.255.255.0 host
209.165.200.225
hostname(config)# access-group INSIDE in interface inside
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
OL-20748-01
Figure
IP Addresses in Access Lists: NAT Used for Source Addresses
209.165.200.225
Outside
Inside
Inbound ACL
10.1.1.0/24 to 209.165.200.225
209.165.201.4:port
PAT
13-1).
Access List Overview
13-3