topic Configuring Control Plane ACL on ASA in Network Security

Configuring Control Plane ACL on ASA

SATORU SAEGUSA — Mon, 11 Mar 2019 23:37:34 GMT

Hello,

I configure a control plane ACL to a outside interface for limiting AnyConnect access on ASA 5520, will enter the following commands on the device:

! interface GigabitEthernet0/0
! nameif outside
! security-level 0
! ip address 1.2.3.4 255.255.255.252

access-list LimitingAnyConnect extended permit tcp host 5.6.7.8 host 1.2.3.4 eq https
access-group LimitingAnyConnect in interface outside control-plane

Does this configuration allow ONLY 5.6.7.8 to connect AnyConnect on the device?
Should I add the following ACL?

access-list LimitingAnyConnect extended deny tcp any host 1.2.3.4 eq https

Thank you for your cooperation in advance.

Configuring Control Plane ACL on ASA

Jennifer Halim — Fri, 03 Aug 2012 15:14:18 GMT

No, you don't need to specify the "deny" access-list because by implicit rule is deny ip any any if you have configured an access-list on the interface.

Re: Configuring Control Plane ACL on ASA

john thoren — Wed, 22 Mar 2023 19:44:19 GMT

According to this doc, https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/firewall/asa-96-firewall-config/access-rules.html#ID-2124-0000003d

There is no implicit deny at the end of control plane acls. The doc says:

"For management (control plane) ACLs, which control to-the-box traffic, there is no implicit deny at the end of a set of management rules for an interface. Instead, any connection that does not match a management access rule is then evaluated by regular access control rules."