10-5
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
OL-6392-01
Chapter 10 Controlling Network Access with Access Control Lists
Access Control List Overview
NAT exemption statements also use ACLs, but you cannot specify the ports.
To use ACLs with NAT, perform the following tasks:
1. Add the ACL using the “Adding an Extended Access Control List” section on page 10-13. This ACL
can contain only permit elements. Specify ports using the eq operator.
2. Use the ACL in the nat and static commands described in the following sections:
–
“Using Dynamic NAT and PAT” section on page 9-16
–
“Using Static NAT” section on page 9-26
–
“Using Static PAT” section on page 9-27
–
“Configuring Static Identity NAT” section on page 9-30
–
“Configuring NAT Exemption” section on page 9-31
VPN Management Access (Extended)
You can use an extended ACL in VPN commands. See the following tasks for each method.
• To identify hosts allowed to connect to the FWSM over an IPSec site-to-site tunnel, perform the
following tasks:
a. Add the ACL using the “Adding an Extended Access Control List” section on page 10-13.
Specify the FWSM address as the source address. Specify the remote address(es) for the
destination address.
b. Use the ACL in the crypto map match address command according to the “Configuring a
Site-to-Site Tunnel” section on page 11-9.
• To identify the traffic that should be tunneled from a VPN client, perform the following tasks:
a. Add the ACL using the “Adding an Extended Access Control List” section on page 10-13.
Specify the FWSM address as the source address, and the VPN pool addresses as the destination
addresses.
b. Then use the ACL in the vpngroup split-tunnel command according to the “Configuring VPN
Client Access” section on page 11-7.
The FWSM only supports IPSec tunnels that terminate on the FWSM and that allow access to the FWSM
for management purposes; you cannot terminate a tunnel on the FWSM for traffic that goes through the
FWSM to another network.
Controlling Network Access for Non-IP Traffic (EtherType)
Transparent firewall mode only
You can configure an ACL that controls traffic based on its EtherType. The FWSM can control any
EtherType identified by a 16-bit hexadecimal number. EtherType ACLs support Ethernet V2 frames.
802.3-formatted frames are not handled by the ACL because they use a length field as opposed to a type
field. Bridge protocol data units (BPDUs), which are handled by the ACL, are the only exception: they
are SNAP-encapsulated, and the FWSM is designed to specifically handle BPDUs.
To control non-IP traffic, perform the following task:
• Create and apply the ACL according to the “Adding an EtherType Access Control List” section on
page 10-16.
To Next Page
Loading...
Need help?
General