Cisco Cisco ASA for Nexus 1000V Series Switch Manual Técnica
Conventions
Refer to the Cisco Technical Tips Conventions for more information on document conventions.
Background Information
Access lists are primarily used to control the traffic flow through the firewall. You can allow or deny specific
types of traffic with access lists. Every access list contains a number of access list entries (ACEs) that control
the traffic flow from a specific source to a specific destination. Normally, this access list is bound to an
interface to notify the direction of the flow into which it should look. Access lists are mainly categorized into
two broad types.
types of traffic with access lists. Every access list contains a number of access list entries (ACEs) that control
the traffic flow from a specific source to a specific destination. Normally, this access list is bound to an
interface to notify the direction of the flow into which it should look. Access lists are mainly categorized into
two broad types.
Inbound access lists
1.
Outbound access lists
2.
Inbound access lists apply to the traffic that enters that interface, and outbound access lists apply to the traffic
that exits the interface. The inbound/outbound notation refers to the direction of the traffic in terms of that
interface but not to the movement of traffic between higher and lower security interfaces.
that exits the interface. The inbound/outbound notation refers to the direction of the traffic in terms of that
interface but not to the movement of traffic between higher and lower security interfaces.
For TCP and UDP connections, you do not need an access list to allow returning traffic because the security
appliance allows all returning traffic for established bidirectional connections. For connectionless protocols
such as ICMP, the security appliance establishes unidirectional sessions, so you either need access lists to
apply access lists to the source and destination interfaces in order to allow ICMP in both directions, or you
need to enable the ICMP inspection engine. The ICMP inspection engine treats ICMP sessions as
bidirectional connections.
appliance allows all returning traffic for established bidirectional connections. For connectionless protocols
such as ICMP, the security appliance establishes unidirectional sessions, so you either need access lists to
apply access lists to the source and destination interfaces in order to allow ICMP in both directions, or you
need to enable the ICMP inspection engine. The ICMP inspection engine treats ICMP sessions as
bidirectional connections.
From the ASDM version 6.3.X, there are two types of access lists that you can configure.
Interface access rules
1.
Global access rules
2.
Note: Access rule refers to an individual access list entry (ACE).
Interface access rules are bound to any interface at the time of their creation. Without binding them to an
interface, you can not create them. This differs from the Command Line example. With CLI, you first create
the access list with the access list command, and then bind this access list to an interface with the
access−group command. ASDM 6.3 and later, the access list is created and bound to an interface as a single
task. This applies to the traffic flowing through that specific interface only.
interface, you can not create them. This differs from the Command Line example. With CLI, you first create
the access list with the access list command, and then bind this access list to an interface with the
access−group command. ASDM 6.3 and later, the access list is created and bound to an interface as a single
task. This applies to the traffic flowing through that specific interface only.
Global access rules are not bound to any interface. They can be configured through the ACL Manager tab in
the ASDM and are applied to the global ingress traffic. They are implemented when there is a match based on
the source, the destination, and the protocol type. These rules are not replicated on each interface, so they save
memory space.
the ASDM and are applied to the global ingress traffic. They are implemented when there is a match based on
the source, the destination, and the protocol type. These rules are not replicated on each interface, so they save
memory space.
When both these rules are to be implemented, interface access rules normally takes the precedence over the
global access rules.
global access rules.
Configure
In this section, you are presented with the information to configure the features described in this document.