10-13
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
OL-6392-01
Chapter 10 Controlling Network Access with Access Control Lists
Adding an Extended Access Control List
Access Control List Override
When you download a per-user access control list (ACL), the permit/deny status of the access-group
access list is maintained unless you specifically change the permit/deny status so that the downloaded
per-user access list overrides the interface access list. If ACL override is enabled, user traffic is
permitted if it is permitted by the per-user access list, regardless of the permit status of interface access
list.
Note The access-group per-user-override command is implemented for the inbound ACLs only, not for the
outbound ACLs.
To enable ACL override, enter the following command:
fwsm/context(config)# access-group access-list {in | out} interface
interface_name
per-user-override
Adding an Extended Access Control List
An extended ACL is made up of one or more ACEs, in which you can specify the source and destination
addresses, and, depending on the ACE type, the protocol, the ports (for TCP or UDP), or the ICMP type
(for ICMP). You can identify all of these parameters within the access-list command, or you can use
object groups for each parameter. This section describes how to identify the parameters within the
command. To use object groups, see the “Simplifying Access Control Lists with Object Grouping”
section on page 10-18.
For TCP and UDP connections, you do not need to also apply an ACL on the destination interface to
allow returning traffic, because the FWSM allows all returning traffic for established connections. See
the “Stateful Inspection Feature” section on page 1-5 for more information. For connectionless protocols
such as ICMP, however, you either need ACLs to allow ICMP in both directions (by applying ACLs to
the source and destination interfaces), or you need to enable the ICMP inspection engine. (See the
“ICMP Inspection Engine” section on page 13-10.) The ICMP inspection engine treats ICMP sessions
as stateful connections. For transparent mode, you can allow protocols with an extended ACL that are
otherwise blocked by a routed mode FWSM, including BGP, DHCP, and multicast streams. Because
these protocols do not have sessions on the FWSM to allow returning traffic, these protocols also require
ACLs on both interfaces.
You can apply only one ACL of each type (extended and EtherType) to each direction of an interface.
You can apply the same ACLs on multiple interfaces.
Note If you change the ACL configuration, and you do not want to wait for existing connections to time out
before the new ACL information is used, you can clear the translation table using the clear xlate
command. However, clearing the translation table disconnects all current connections.
To Next Page
Loading...
Need help?
General