4-2
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 4 Access Rules
Controlling Network Access
In transparent firewall mode, you can combine extended access rules, management access rules, and
EtherType rules on the same interface.
• General Information About Rules, page 4-2
• Extended Access Rules, page 4-4
• EtherType Rules, page 4-6
General Information About Rules
This section describes information for both access rules and EtherType rules, and it includes the
following topics:
• Interface Access Rules and Global Access Rules, page 4-2
• Inbound and Outbound Rules, page 4-2
• Rule Order, page 4-3
• Implicit Permits, page 4-3
• Implicit Deny, page 4-4
• NAT and Access Rules, page 4-4
Interface Access Rules and Global Access Rules
You can apply an access rule to a specific interface, or you can apply an access rule globally to all
interfaces. You can configure global access rules in conjunction with interface access rules, in which
case, the specific inbound interface access rules are always processed before the general global access
rules. Global access rules apply only to inbound traffic.
Inbound and Outbound Rules
You can configure access rules based on the direction of traffic:
• Inbound—Inbound access rules apply to traffic as it enters an interface. Global and management
access rules are always inbound.
• Outbound—Outbound rules apply to traffic as it exits an interface.
Note “Inbound” and “outbound” refer to the application of an ACL on an interface, either to traffic entering
the ASA on an interface or traffic exiting the ASA on an interface. These terms do not refer to the
movement of traffic from a lower security interface to a higher security interface, commonly known as
inbound, or from a higher to lower interface, commonly known as outbound.
An outbound ACL is useful, for example, if you want to allow only certain hosts on the inside networks
to access a web server on the outside network. Rather than creating multiple inbound ACLs to restrict
access, you can create a single outbound ACL that allows only the specified hosts. (See the following
figure.) The outbound ACL prevents any other hosts from reaching the outside network.
To Next Page
Loading...
Need help?
General
