Cisco Cisco ASR 5000
Firewall-and-NAT Policy Configuration Mode Commands
access-rule ▀
Command Line Interface Reference, StarOS Release 18 ▄
5103
Check is done to see if the packet matches any pinholes. If yes, no rule matching is done and the packet
is allowed.
Access ruledef matching is done. If a rule matches, the packet is allowed or dropped as per the
access-rule priority
configuration.
If no access ruledef matches, the packet is allowed or dropped as per the
access-rule no-ruledef-
matches
configuration.
For a packet dropped due to access ruledef match or no match (first packet of a flow), the charging action
applied is the one configured in the
applied is the one configured in the
access-rule priority
or the
access-rule no-ruledef-
matches
command respectively.
For action on packets dropped due to any error condition after data session is created, the charging action
must be configured in the
must be configured in the
flow any-error charging-action
command in the ACS Rulebase
Configuration Mode.
The GGSN can dynamically activate or deactivate dynamic ruledefs for a subscriber based on the rule name
received from a policy server. At rule match, if a rule in the policy is a dynamic rule, and if the rule is enabled
for the particular subscriber, rule matching is done for the rule. If the rule is disabled for the particular
subscriber, rule matching is not done for the rule.
The GGSN can dynamically activate or deactivate dynamic ruledefs for a subscriber based on the rule name
received from a policy server. At rule match, if a rule in the policy is a dynamic rule, and if the rule is enabled
for the particular subscriber, rule matching is done for the rule. If the rule is disabled for the particular
subscriber, rule matching is not done for the rule.
Example
For Stateful Firewall, the following command assigns a priority of
10
to the access ruledef
test_rule
, adds
it to the policy, and permits port trigger to be used for the rule to open ports in the range of
1000
to
2000
in
either direction of the control connection:
access-rule priority 1 access-ruledef test_rule permit trigger open-port
range 1000 to 2000 direction both
range 1000 to 2000 direction both