Cisco Cisco ASR 5700
ACS Rulebase Configuration Mode Commands
firewall priority ▀
Command Line Interface Reference, StarOS Release 17 ▄
711
deny [ charging-action charging_action_name ]
Denies packets if the rule is matched. An optional charging action can be specified. If a packet matches the
deny rule, action is taken as configured in the charging action. For Stateful Firewall ruledefs, only the
terminate-flow action is applicable, if configured in the specified charging action.
deny rule, action is taken as configured in the charging action. For Stateful Firewall ruledefs, only the
terminate-flow action is applicable, if configured in the specified charging action.
charging_action_name
must be the name of a charging action, and must be an alphanumeric string of 1
through 63 characters.
permit [ nat-realm nat_realm_name | [ bypass-nat ] [ trigger open-port {
aux_port_number | range start_port_number to end_port_number } ] ]
aux_port_number | range start_port_number to end_port_number } ] ]
Permits packets.
nat-realm nat_realm_name
: Specifies the NAT realm to be used for performing NAT on
subscriber packets matching the Stateful Firewall ruledef.
If the NAT realm is not specified, then NAT will be bypassed. That is, NAT will not be applied on
subscriber packets that are matching a Stateful Firewall ruledef with no NAT realm name
configured.
subscriber packets that are matching a Stateful Firewall ruledef with no NAT realm name
configured.
nat_realm_name
must be the name of a NAT realm, and must be an alphanumeric string of 1
through 31 characters.
bypass-nat
: Specifies that packets bypass NAT.
Important:
If the
nat-realm
is not configured, NAT is performed if the
nat
policy nat-required
CLI command is configured with the
default-nat-realm
option.
trigger open-port { aux_port_number | range start_port_number to
end_port_number }
: Permits packets if the rule is matched, and allows the creation of data flows
for Stateful Firewall. Optionally a port trigger can be specified to be used for this rule to limit the
range of auxiliary data connections (a single or range of port numbers) for protocols having control
and data connections (like FTP). The trigger port will be the destination port of an association which
matches a rule.
range of auxiliary data connections (a single or range of port numbers) for protocols having control
and data connections (like FTP). The trigger port will be the destination port of an association which
matches a rule.
aux_port_number
: Specifies the number of auxiliary ports to open for traffic, and must be an
integer from 1 through 65535.
range start_port_number to end_port_number
: Specifies the range of ports to open
for subscriber traffic.
start_port_number
must be an integer from 1 through 65535. This is the start of
the port range and must be less than
end_port_number
.
end_port_number
must be an integer from 1 through 65535. This is the end of the
port range and must be greater than
start_port_number
.
direction { both | reverse | same }
Specifies the direction from which the auxiliary connection is initiated. This direction can be same as the
direction of control connection, or the reverse of the control connection direction, or in both directions.
direction of control connection, or the reverse of the control connection direction, or in both directions.
both
: Provides the trigger to open port for traffic in either direction of the control connection.
reverse
: Provides the trigger to open port for traffic in the reverse direction of the control connection
(from where the connection is initiated).
same
: Provides the trigger to open port for traffic in the same direction of the control connection (from
where the connection is initiated).