Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1731
Views
8
Helpful
4
Replies

Control-plane ACL on Firepower 4110

Go to solution
ABaker94985
Spotlight
Spotlight

‎10-03-2022 08:05 AM

We have a 4110 managed by an FMC that we need to configure to block IKE traffic from. That's easy enough to do with a control-plane ACL, but I was looking at this:

https://integratingit.wordpress.com/2021/06/26/ftd-control-plane-acl/

It shows a deny statement followed by as explicit "permit ip any any". Is the permit statement needed? I've always understood the control-planes to having an implicit "permit ip any any". If there is an implicit, I realize the explicit statement won't matter, so it's a matter of satisfying my curiosity. Thanks

 

1 Accepted Solution

Accepted Solutions

Go to solution
Sheraz.Salim
VIP
VIP
In response to ABaker94985

‎10-03-2022 12:03 PM

There is no implicit deny at the end of control plane ACL.

please do not forget to rate.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Sheraz.Salim
VIP
VIP

‎10-03-2022 08:17 AM - edited ‎10-03-2022 12:05 PM

Adding the control-plane keyword to the ACL entry, the traffic inspection applies to traffic destined to the ASA. Without the control-plane keyword, the ACL entries will apply to traffic traversing through the ASA.

The control-plane keyword specifies if the ACL is used to control to-the-box traffic. Access control rules for to-the-box management traffic (defined by such commands as http, ssh, or telnet) have higher precedence than a management access rule applied with the control-plane option. Therefore, such permitted management traffic will be allowed to come in even if explicitly denied by the to-the-box ACL.

Unlike regular access rules, there is no implicit deny at the end of a set of management rules for an interface. Instead, any connection that does not match a management access rule is then evaluated by regular access control rules. Alternatively, you can use ICMP rules to control ICMP traffic to the device.

ASA Access Control List Configuration Examples for Various Scenarios - Cisco

 

 

please do not forget to rate.

Go to solution
MHM Cisco World
VIP
VIP
In response to Sheraz.Salim

‎10-03-2022 08:20 AM

""For management (control plane) ACLs, which control to-the-box traffic, there is no implicit deny at the end of a set of management rules for an interface. Instead, any connection that does not match a management access rule is then evaluated by regular access control rules.""

from cisco ASA ACL 
https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/firewall/asa-96-firewall-config/access-acls.html

Go to solution
ABaker94985
Spotlight
Spotlight

‎10-03-2022 10:39 AM

Thank you both for the replies, and I read both links prior to posting. I realize there is normally a default "deny ip any any" at the end of a normal access list, but if I leave the "permit ip any any" off the control-plane ACL, it shouldn't matter, correct, given there is no implicit deny? 

Go to solution
Sheraz.Salim
VIP
VIP
In response to ABaker94985

‎10-03-2022 12:03 PM

There is no implicit deny at the end of control plane ACL.

please do not forget to rate.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card