Access List Types; Access Control Entry Order - Cisco 7604 Configuration Manual
Catalyst 6500 series switch and cisco 7600 series router firewall services module configuration guide using the cli
Hide thumbs
Also See for 7604:
- Configuration manual (1011 pages) ,
- Installation manual (324 pages) ,
- User manual (98 pages)
Table of Contents
Advertisement
Access List Overview
Access List Types
Table 13-1
Table 13-1
Access List Types and Common Uses
Access List Use
Control network access for IP traffic
(routed and transparent mode)
Identify traffic for AAA rules
Control network access for IP traffic for a
given user
Identify addresses for NAT (policy NAT
and NAT exemption)
Establish VPN access
Identify traffic in a traffic class map for
Modular Policy
For transparent firewall mode, control
network access for non-IP traffic
Identify OSPF route redistribution
Access Control Entry Order
An access list is made up of one or more Access Control Entries. Depending on the access list type, you
can specify the source and destination addresses, the protocol, the ports (for TCP or UDP), the ICMP
type (for ICMP), or the EtherType.
Each ACE that you enter for a given access list name is appended to the end of the access list unless you
specify the line number in the ACE (extended access lists only).
The order of ACEs is important. When the FWSM decides whether to forward or drop a packet, the
FWSM tests the packet against each ACE in the order in which the entries are listed. After a match is
found, no more ACEs are checked. For example, if you create an ACE at the beginning of an access list
that explicitly permits all traffic, no further statements are ever checked.
You can disable an ACE by making it inactive.
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
13-2
lists the types of access lists and some common uses for them.
Access List Type
Extended
Extended
Extended,
downloaded from a
AAA server per user
Extended
Extended
Extended
EtherType
EtherType
Standard
Chapter 13
Description
The FWSM does not allow any traffic unless it is
explicitly permitted by an extended access list.
To access the FWSM interface for management
Note
access, you do not also need an access list
allowing the host IP address. You only need to
configure management access according to
Chapter 23, "Configuring Management Access."
AAA rules use access lists to identify traffic.
You can configure the RADIUS server to download a
dynamic access list to be applied to the user, or the server
can send the name of an access list that you already
configured on the FWSM.
Policy NAT lets you identify local traffic for address
translation by specifying the source and destination
addresses in an extended access list.
You can use an extended access list in VPN commands.
Access lists can be used to identify traffic in a class map,
which is used for features that support Modular Policy
Framework. Features that support Modular Policy
Framework include TCP and general connection settings,
and inspection.
You can configure an access list that controls traffic based
on its EtherType.
Standard access lists include only the destination address.
You can use a standard access list to control the
redistribution of OSPF routes.
Identifying Traffic with Access Lists
OL-20748-01
- Quick Links:
- C H a P T E...
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
