https://community.cisco.com/t5/network-security/control-plane-acl-on-asa/m-p/2952929#M920252 <P>Hello Krishna-</P> <P>Take a look at the link below that I think will help you configure control-plane based ACL for your Firewall:</P> <P><A href="http://www.cisco.com/c/en/us/td/docs/security/asa/asa95/configuration/firewall/asa-95-firewall-config/access-rules.html">http://www.cisco.com/c/en/us/td/docs/security/asa/asa95/configuration/firewall/asa-95-firewall-config/access-rules.html</A></P> <P>So by adding the control-plane keyword to the ACL entry, the traffic inspection applies to traffic destined to the ASA. Without the control-plane keyword, the ACL entries will apply to traffic traversing through the ASA.</P> <P>Also, keep in mind that ASA based control-plane ACLs (telnet, ssh, http, etc) will override the control-plane ACL applied on the interface.&nbsp;</P> <P>I hope this helps!</P> <P><EM>Thank you for rating helpful posts!</EM></P> Thu, 20 Oct 2016 21:57:34 GMT nspasov 2016-10-20T21:57:34Z https://community.cisco.com/t5/network-security/control-plane-acl-on-asa/m-p/2952928#M920249 <P>Hi!</P> <P>On ASA, suppose I apply a inbound control plane ACL on outside interface; what will be the impact / consequence to the inbound traffic that is using outside interface IP for PAT or Static PAT.</P> <P></P> <P>Control plan ACL is applied to restrict to-the-box traffic.</P> <P></P> <P>Thanks in advance</P> <P>Krishna</P> Fri, 21 Feb 2020 13:56:30 GMT https://community.cisco.com/t5/network-security/control-plane-acl-on-asa/m-p/2952928#M920249 krishnadig 2020-02-21T13:56:30Z https://community.cisco.com/t5/network-security/control-plane-acl-on-asa/m-p/2952929#M920252 <P>Hello Krishna-</P> <P>Take a look at the link below that I think will help you configure control-plane based ACL for your Firewall:</P> <P><A href="http://www.cisco.com/c/en/us/td/docs/security/asa/asa95/configuration/firewall/asa-95-firewall-config/access-rules.html">http://www.cisco.com/c/en/us/td/docs/security/asa/asa95/configuration/firewall/asa-95-firewall-config/access-rules.html</A></P> <P>So by adding the control-plane keyword to the ACL entry, the traffic inspection applies to traffic destined to the ASA. Without the control-plane keyword, the ACL entries will apply to traffic traversing through the ASA.</P> <P>Also, keep in mind that ASA based control-plane ACLs (telnet, ssh, http, etc) will override the control-plane ACL applied on the interface.&nbsp;</P> <P>I hope this helps!</P> <P><EM>Thank you for rating helpful posts!</EM></P> Thu, 20 Oct 2016 21:57:34 GMT https://community.cisco.com/t5/network-security/control-plane-acl-on-asa/m-p/2952929#M920252 nspasov 2016-10-20T21:57:34Z