Cisco Cisco ASA 5506W-X with FirePOWER Services Technical Manual
The information in this document was created from the devices in a specific lab environment. All of
the devices used in this document started with a cleared (default) configuration. If your network is
live, make sure that you understand the potential impact of any command.
the devices used in this document started with a cleared (default) configuration. If your network is
live, make sure that you understand the potential impact of any command.
Background Information
An Access control rule is created with the use of one or multiple combinations of these
parameters:
parameters:
IP Address (Source and Destination)
●
Ports (Source and Destination)
●
URL (System provided Categories and Custom URLs)
●
Application Detectors
●
VLANs
●
Zones
●
Based on the combination of parameters used in the access rule, the rule expansion changes on
the sensor. This document highlights various combinations of rules on the FMC and their
respective associated expansions on the sensors.
the sensor. This document highlights various combinations of rules on the FMC and their
respective associated expansions on the sensors.
Understanding Rule Expansion
Expansion of an IP Based Rule
Consider the configuration of an access rule from the FMC, as shown in the image:
This is a single rule on the Management Center. However, after deploying it to the sensor, it
expands into four rules as shown in the image:
expands into four rules as shown in the image:
When you deploy a rule with two subnets configured as Source and two hosts configured as
destination addresses, this rule is expanded to four rules on the sensor.
destination addresses, this rule is expanded to four rules on the sensor.
Note: If the requirement is to block access based on destination networks, a better way to
perform this is to use the feature of Blacklists under Security Intelligence.
perform this is to use the feature of Blacklists under Security Intelligence.
Expansion of an IP Based Rule using Custom URL