https://community.cisco.com/t5/network-security/control-plane-acl-on-firepower-4110/m-p/4697580#M1093898 <P>We have a 4110 managed by an FMC that we need to configure to block IKE traffic from. That's easy enough to do with a control-plane ACL, but I was looking at this:</P><P><A href="https://integratingit.wordpress.com/2021/06/26/ftd-control-plane-acl/" target="_blank">https://integratingit.wordpress.com/2021/06/26/ftd-control-plane-acl/</A></P><P>It shows a deny statement followed by as explicit "permit ip any any". Is the permit statement needed? I've always understood the control-planes to having an implicit "permit ip any any". If there is an implicit, I realize the explicit statement won't matter, so it's a matter of satisfying my curiosity. Thanks</P><P>&nbsp;</P> Mon, 03 Oct 2022 15:05:43 GMT ABaker94985 2022-10-03T15:05:43Z https://community.cisco.com/t5/network-security/control-plane-acl-on-firepower-4110/m-p/4697580#M1093898 <P>We have a 4110 managed by an FMC that we need to configure to block IKE traffic from. That's easy enough to do with a control-plane ACL, but I was looking at this:</P><P><A href="https://integratingit.wordpress.com/2021/06/26/ftd-control-plane-acl/" target="_blank">https://integratingit.wordpress.com/2021/06/26/ftd-control-plane-acl/</A></P><P>It shows a deny statement followed by as explicit "permit ip any any". Is the permit statement needed? I've always understood the control-planes to having an implicit "permit ip any any". If there is an implicit, I realize the explicit statement won't matter, so it's a matter of satisfying my curiosity. Thanks</P><P>&nbsp;</P> Mon, 03 Oct 2022 15:05:43 GMT https://community.cisco.com/t5/network-security/control-plane-acl-on-firepower-4110/m-p/4697580#M1093898 ABaker94985 2022-10-03T15:05:43Z https://community.cisco.com/t5/network-security/control-plane-acl-on-firepower-4110/m-p/4697588#M1093900 <P>A<SPAN>dding the control-plane keyword to the ACL entry, the traffic inspection applies to traffic destined to the ASA. Without the control-plane keyword, the ACL entries will apply to traffic traversing through the ASA.</SPAN></P> <P style="margin: 0px 0px 6px; padding: 0px; border: 0px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-variant-numeric: inherit; font-variant-east-asian: inherit; font-weight: 400; font-stretch: inherit; font-size: 14px; line-height: 1.375em; font-family: CiscoSans, Arial, sans-serif; vertical-align: baseline; color: #58585b; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: #ffffff; text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial;">The<SPAN>&nbsp;</SPAN><STRONG style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: bold; font-stretch: inherit; font-size: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">control-plane</STRONG><SPAN>&nbsp;</SPAN>keyword specifies if the ACL is used to control to-the-box traffic. Access control rules for to-the-box management traffic (defined by such commands as<SPAN>&nbsp;</SPAN><STRONG style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: bold; font-stretch: inherit; font-size: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">http</STRONG>,<SPAN>&nbsp;</SPAN><STRONG style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: bold; font-stretch: inherit; font-size: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">ssh</STRONG>, or<SPAN>&nbsp;</SPAN><STRONG style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: bold; font-stretch: inherit; font-size: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">telnet</STRONG>) have higher precedence than a management access rule applied with the<SPAN>&nbsp;</SPAN><STRONG style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: bold; font-stretch: inherit; font-size: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">control-plane</STRONG><SPAN>&nbsp;</SPAN>option. Therefore, <STRONG>such permitted management traffic will be allowed to come in even if explicitly denied by the to-the-box ACL</STRONG>.</P> <P style="margin: 0px 0px 6px; padding: 0px; border: 0px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-variant-numeric: inherit; font-variant-east-asian: inherit; font-weight: 400; font-stretch: inherit; font-size: 14px; line-height: 1.375em; font-family: CiscoSans, Arial, sans-serif; vertical-align: baseline; color: #58585b; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: #ffffff; text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial;">Unlike regular access rules, there is no implicit deny at the end of a set of management rules for an interface. Instead, any connection that does not match a management access rule is then evaluated by regular access control rules. Alternatively, you can use ICMP rules to control ICMP traffic to the device.</P> <P style="margin: 0px 0px 6px; padding: 0px; border: 0px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-variant-numeric: inherit; font-variant-east-asian: inherit; font-weight: 400; font-stretch: inherit; font-size: 14px; line-height: 1.375em; font-family: CiscoSans, Arial, sans-serif; vertical-align: baseline; color: #58585b; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: #ffffff; text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial;"><A href="https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/217679-asa-access-control-list-configuration-ex.html" target="_blank" rel="noopener">ASA Access Control List Configuration Examples for Various Scenarios - Cisco</A></P> <P style="margin: 0px 0px 6px; padding: 0px; border: 0px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-variant-numeric: inherit; font-variant-east-asian: inherit; font-weight: 400; font-stretch: inherit; font-size: 14px; line-height: 1.375em; font-family: CiscoSans, Arial, sans-serif; vertical-align: baseline; color: #58585b; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: #ffffff; text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial;">&nbsp;</P> <P style="margin: 0px 0px 6px; padding: 0px; border: 0px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-variant-numeric: inherit; font-variant-east-asian: inherit; font-weight: 400; font-stretch: inherit; font-size: 14px; line-height: 1.375em; font-family: CiscoSans, Arial, sans-serif; vertical-align: baseline; color: #58585b; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: #ffffff; text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial;">&nbsp;</P> Mon, 03 Oct 2022 19:05:10 GMT https://community.cisco.com/t5/network-security/control-plane-acl-on-firepower-4110/m-p/4697588#M1093900 Sheraz.Salim 2022-10-03T19:05:10Z https://community.cisco.com/t5/network-security/control-plane-acl-on-firepower-4110/m-p/4697591#M1093902 <P><SPAN>""For<STRONG> management (control plane) ACLs</STRONG>, which control to-the-box traffic, there is no implicit deny at the end of a set of management rules for an interface. Instead, any connection that does not match a management access rule is then evaluated by regular <STRONG>access control rules</STRONG>.""</SPAN></P><P><SPAN>from cisco ASA ACL&nbsp;<BR /><A href="https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/firewall/asa-96-firewall-config/access-acls.html" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/firewall/asa-96-firewall-config/access-acls.html</A><BR /></SPAN></P> Mon, 03 Oct 2022 15:20:49 GMT https://community.cisco.com/t5/network-security/control-plane-acl-on-firepower-4110/m-p/4697591#M1093902 MHM Cisco World 2022-10-03T15:20:49Z https://community.cisco.com/t5/network-security/control-plane-acl-on-firepower-4110/m-p/4697659#M1093906 <P>Thank you both for the replies, and I read both links prior to posting. I realize there is normally a default "deny ip any any" at the end of a normal access list, but if I leave the "permit ip any any" off the control-plane ACL, it shouldn't matter, correct, given there is no implicit deny?&nbsp;</P> Mon, 03 Oct 2022 17:39:16 GMT https://community.cisco.com/t5/network-security/control-plane-acl-on-firepower-4110/m-p/4697659#M1093906 ABaker94985 2022-10-03T17:39:16Z https://community.cisco.com/t5/network-security/control-plane-acl-on-firepower-4110/m-p/4697690#M1093910 <P><SPAN> There is no implicit deny at the end of control plane ACL.<BR /></SPAN></P> Mon, 03 Oct 2022 19:03:29 GMT https://community.cisco.com/t5/network-security/control-plane-acl-on-firepower-4110/m-p/4697690#M1093910 Sheraz.Salim 2022-10-03T19:03:29Z