Filter
Top Products
6-50
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 6 Managing Policy Objects
Creating Access Control List Objects
Creating Extended Access Control List Objects
Extended access control lists allow you to permit or deny traffic from specific IP addresses to specific
destination IP address and port, and specify the protocol of the traffic, such as ICMP, TCP, UDP, and so
forth. Extended ACLs range from 100 to 199, and for devices running Cisco IOS Software Release
12.0.1 and higher, 2000 to 2699.
Extended ACL example:
access-list 110 - Applied to traffic leaving the office (outgoing)
access-list 110 permit tcp 10.128.2.0 0.0.0.255 any eq 80
ACL 110 permits traffic originating from any address on the 10.128.2.0 network. The
“All-IPv4-Addresses” statement means that the traffic is allowed to have any destination address with
the limitation of going to port 80. The value of 0.0.0.0/255.255.255.255 can be specified as
“All-IPv4-Addresses.”
Uses:
• Identifying addresses for NAT (policy NAT and NAT exemption)—Policy NAT lets you identify
local traffic for address translation by specifying the source and destination addresses and ports in
an extended access list. Regular NAT can only consider local addresses. An access list that is used
with policy NAT cannot be configured to deny an access control entry (ACE).
• Identifying addresses for IOS dynamic NAT—For user-defined ACLs, the NAT plug-in generates its
own ACL CLIs when deducing NAT traffic from VPN traffic.
• Filtering traffic that will be intercepted by Network Admission Control (NAC).
• Identifying traffic in a traffic class-map for modular policy—Access lists can be used to identify
traffic in a class-map, which is used for features that support Modular Policy Framework such as
TCP and general connection settings, inspection, IPS, and QoS. You can use one or more access lists
to identify specific types of traffic.
• For transparent mode, enabling protocols that are blocked by a routed mode security appliance,
including BGP, DHCP, and multicast streams. Because these protocols do not have sessions on the
security appliance to allow return traffic, these protocols also require access lists on both interfaces.
• Establishing VPN access—You can use an extended access list in VPN commands to identify the
traffic that should be tunneled on the device for an IPsec site-to-site tunnel or to identify the traffic
that should be tunneled on the device for a VPN client. Use in conjunction with the policy objects
and settings shown in Table 6-18 on page 6-50:
Table 6-18 Policy Objects and Settings
Policy Object Device Purpose
VPN Topology Any Selecting Protected Networks.
ASA User Group ASA Inbound Firewall Policy; Outbound Firewall Policy;
Filter ACL.
Traffic Flow ASA, PIX 7+ Service Policy Rules (MPC). The traffic flow BB
(class-map) uses Extended ACL as one of its traffic
match types.
User Group
• IOS
• Catalyst
6500/7600
• PIX 6.3
For Easy VPN, Split Tunnel ACL and Firewall ACL
(IOS devices only).