Access control entry order – Cisco ASA 5505 User Manual
Page 384
14-2
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter 14 Information About Access Lists
Access Control Entry Order
•
IPv6 access lists—Determine which IPv6 traffic to block and which traffic to forward at router
interfaces. For more information, see
Chapter 19, “Adding an IPv6 Access List.”
lists the types of access lists and some common uses for them.
Access Control Entry Order
An access list is made up of one or more access control entries (ACEs). Each ACE that you enter for a
given access list name is appended to the end of the access list. Depending on the access list type, you
can specify the source and destination addresses, the protocol, the ports (for TCP or UDP), the ICMP
type (for ICMP), or the EtherType.
Table 14-1
Access List Types and Common Uses
Access List Use
Access List Type
Description
Control network access for IP traffic
(routed and transparent mode)
Extended
The ASA does not allow any traffic from a lower security
interface to a higher security interface unless it is
explicitly permitted by an extended access list.
Note
To access the ASA interface for management
access, you do not also need an access list
allowing the host IP address. You only need to
configure management access according to
Chapter 37, “Configuring Management Access.”
Identify traffic for AAA rules
Extended
AAA rules use access lists to identify traffic.
Control network access for IP traffic for a
given user
Extended,
downloaded from a
AAA server per user
You can configure the RADIUS server to download a
dynamic access list to be applied to the user, or the server
can send the name of an access list that you already
configured on the ASA.
Identify addresses for NAT (policy NAT
and NAT exemption)
Extended
Policy NAT lets you identify local traffic for address
translation by specifying the source and destination
addresses in an extended access list.
Establish VPN access
Extended
You can use an extended access list in VPN commands.
Identify traffic in a traffic class map for
Modular Policy Framework
Extended
EtherType
Access lists can be used to identify traffic in a class map,
which is used for features that support Modular Policy
Framework. Features that support Modular Policy
Framework include TCP and general connection settings,
and inspection.
For transparent firewall mode, control
network access for non-IP traffic
EtherType
You can configure an access list that controls traffic based
on its EtherType.
Identify OSPF route redistribution
Standard
Standard access lists include only the destination address.
You can use a standard access list to control the
redistribution of OSPF routes.
Filtering for WebVPN
Webtype
You can configure a Webtype access list to filter URLs.
Control network access for IPV6
networks
IPv6
You can add and apply access lists to control traffic in
IPv6 networks.