08-02-2012 02:25 AM - edited 03-11-2019 04:37 PM
Hello,
I configure a control plane ACL to a outside interface for limiting AnyConnect access on ASA 5520, will enter the following commands on the device:
! interface GigabitEthernet0/0
! nameif outside
! security-level 0
! ip address 1.2.3.4 255.255.255.252
access-list LimitingAnyConnect extended permit tcp host 5.6.7.8 host 1.2.3.4 eq https
access-group LimitingAnyConnect in interface outside control-plane
Does this configuration allow ONLY 5.6.7.8 to connect AnyConnect on the device?
Should I add the following ACL?
access-list LimitingAnyConnect extended deny tcp any host 1.2.3.4 eq https
Thank you for your cooperation in advance.
Solved! Go to Solution.
08-03-2012 08:14 AM
No, you don't need to specify the "deny" access-list because by implicit rule is deny ip any any if you have configured an access-list on the interface.
08-03-2012 08:14 AM
No, you don't need to specify the "deny" access-list because by implicit rule is deny ip any any if you have configured an access-list on the interface.
03-22-2023 12:44 PM
According to this doc, https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/firewall/asa-96-firewall-config/access-rules.html#ID-2124-0000003d
There is no implicit deny at the end of control plane acls. The doc says:
"For management (control plane) ACLs, which control to-the-box traffic, there is no implicit deny at the end of a set of management rules for an interface. Instead, any connection that does not match a management access rule is then evaluated by regular access control rules."
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide