Chapter 13
Identifying Traffic with Access Lists
Access List Overview
If you perform NAT on both interfaces, keep in mind the addresses that are visible to a given interface.
In
Figure
13-3, an outside server uses static NAT so that a translated address appears on the inside
network.
Figure 13-3
IP Addresses in Access Lists: NAT used for Source and Destination Addresses
Static NAT
209.165.200.225
10.1.1.56
Outside
Inside
ACL
Permit from
10.1.1.0/24
to
10.1.1.56
10.1.1.0/24
10.1.1.0/24
209.165.201.4:port
PAT
See the following commands for this example:
hostname(config)# access-list INSIDE extended permit ip 10.1.1.0 255.255.255.0 host
10.1.1.56
hostname(config)# access-group INSIDE in interface inside
Access List Commitment
When you add an ACE to an access list, the FWSM activates the access list by committing it to the
network processors. The FWSM waits a short period of time after you last entered an access-list
command and then commits the access list. If you enter an ACE after the commitment starts, the FWSM
aborts the commitment and recommits the access list after a short waiting period. The FWSM displays
a message similar to the following after it commits the access list:
Access Rules Download Complete: Memory Utilization: < 1%
Large access lists of approximately 60 K ACEs can take 3 to 4 minutes to commit, depending on the size.
To keep this message from displaying after every access list change and subsequent committal to the
Note
network processor, enter the np acl-notify disable command. This command is local and not saved in
the startup configuration, so it does not replicate to the peer through failover, and you must re-enter the
command after each reload.
For information about exceeding memory limits, see the
"Maximum Number of ACEs"
section.
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
13-5
OL-20748-01