This is also true for all returning traffic originally initiated from a higherlevel
to a lower-level interface, which is allowed through dynamically. An optional inbound ACL on the
source interface and outbound ACL on the destination interface can be configured. Refer to Figure 6-19.
By default, traffic can exit the Security Appliance on any interface unless it is restricted through the use of an
outbound ACL, which provides more granular access control in addition to the inbound ACL.
The access list architecture on the Security Appliance is similar to the IOS ACL operation.
To enable an access list for network access control on the Security Appliance, perform the following two steps.
Configuring an access list on Security Appliance is similar to Cisco IOS.
Step 1??”Defining an Access List
Using the access-list command from the global configuration mode, define access control entries (ACE) for a
specific host, network, protocol, or ports. When defining an ACL on a Security Appliance, use a subnet mask
rather than a wildcard mask on the IOS device. This works in a manner that is similar to the IOS, in that there is
an implicit deny at the end of all access lists.
Step 2??”Applying an Access List to an Interface
Apply the access list to the interface in an inbound or outbound direction by using the access-group {name |
number} {in | out} interface interface_name command.
Pages:
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310