Chapter 10
Controlling Network Access with Access Control Lists
Access Control List Override
When you download a per-user access control list (ACL), the permit/deny status of the access-group
access list is maintained unless you specifically change the permit/deny status so that the downloaded
per-user access list overrides the interface access list. If ACL override is enabled, user traffic is
permitted if it is permitted by the per-user access list, regardless of the permit status of interface access
list.
The access-group per-user-override command is implemented for the inbound ACLs only, not for the
Note
outbound ACLs.
To enable ACL override, enter the following command:
fwsm/context(config)# access-group
per-user-override
Adding an Extended Access Control List
An extended ACL is made up of one or more ACEs, in which you can specify the source and destination
addresses, and, depending on the ACE type, the protocol, the ports (for TCP or UDP), or the ICMP type
(for ICMP). You can identify all of these parameters within the access-list command, or you can use
object groups for each parameter. This section describes how to identify the parameters within the
command. To use object groups, see the
section on page
For TCP and UDP connections, you do not need to also apply an ACL on the destination interface to
allow returning traffic, because the FWSM allows all returning traffic for established connections. See
the
"Stateful Inspection Feature" section on page 1-5
such as ICMP, however, you either need ACLs to allow ICMP in both directions (by applying ACLs to
the source and destination interfaces), or you need to enable the ICMP inspection engine. (See the
"ICMP Inspection Engine" section on page
as stateful connections. For transparent mode, you can allow protocols with an extended ACL that are
otherwise blocked by a routed mode FWSM, including BGP, DHCP, and multicast streams. Because
these protocols do not have sessions on the FWSM to allow returning traffic, these protocols also require
ACLs on both interfaces.
You can apply only one ACL of each type (extended and EtherType) to each direction of an interface.
You can apply the same ACLs on multiple interfaces.
If you change the ACL configuration, and you do not want to wait for existing connections to time out
Note
before the new ACL information is used, you can clear the translation table using the clear xlate
command. However, clearing the translation table disconnects all current connections.
OL-6392-01
10-18.
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
access-list {
}
in | out
interface
"Simplifying Access Control Lists with Object Grouping"
for more information. For connectionless protocols
13-10.) The ICMP inspection engine treats ICMP sessions
Adding an Extended Access Control List
interface_name
10-13