cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4935
Views
1
Helpful
2
Replies

Configuring Control Plane ACL on ASA

SATORU SAEGUSA
Beginner
Beginner

Hello,

I configure a control plane ACL to a outside interface for limiting AnyConnect access on ASA 5520, will enter the following commands on the device:

! interface GigabitEthernet0/0
!  nameif outside
!  security-level 0
!  ip address 1.2.3.4 255.255.255.252

access-list LimitingAnyConnect extended permit tcp host 5.6.7.8 host 1.2.3.4 eq https
access-group LimitingAnyConnect in interface outside control-plane

Does this configuration allow ONLY 5.6.7.8 to connect AnyConnect on the device?
Should I add the following ACL?

access-list LimitingAnyConnect extended deny tcp any host 1.2.3.4 eq https


Thank you for your cooperation in advance.

1 Accepted Solution

Accepted Solutions

Jennifer Halim
Cisco Employee
Cisco Employee

No, you don't need to specify the "deny" access-list because by implicit rule is deny ip any any if you have configured an access-list on the interface.

View solution in original post

2 Replies 2

Jennifer Halim
Cisco Employee
Cisco Employee

No, you don't need to specify the "deny" access-list because by implicit rule is deny ip any any if you have configured an access-list on the interface.

According to this doc, https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/firewall/asa-96-firewall-config/access-rules.html#ID-2124-0000003d

There is no implicit deny at the end of control plane acls.  The doc says:

"For management (control plane) ACLs, which control to-the-box traffic, there is no implicit deny at the end of a set of management rules for an interface. Instead, any connection that does not match a management access rule is then evaluated by regular access control rules."

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: