Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Acl in class-map

Hi

 

i'm a little unsure of how using ACL's works within a class map.

 

I want to allow access to a web server 1.1.1.1 and deny all othetraffic coming from the outside zone to the inside zone, so i have created an acl with a

permit http to 1.1.1.1 and a deny ip any any statement and applied it to the class map.

 

when i apply this to the policy map i can either inspect, drop or pass the traffic.

 

what i don't understand is how this works with the ACL permit or deny statements or the implicit deny functionality of the ACL.

 

for example if I apply the pass action to this class-map/ACL how does it handle the deny ip any any statement in the ACL?

 

If i am passing the traffic in the policy, does it still deny any deny statements in the ACL?

​​also what about multiple class maps in a policy map, wouldn't a deny statement in the first acl stop further processing in the policy map

 

hope this makes sense..

 

 

thanks for any help

​​

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions

When using ACLs in a class

When using ACLs in a class map, a permit entry causes the ACL condition to match and a deny entry does not. So, for your ACL "permit tcp any host 1.1.1.1 eq www", any HTTP traffic to 1.1.1.1 on 80/tcp will be matched by the class map and the implicit "deny ip any any" will not be matched. There is no action implied by the ACL when used this way, only a match or no match.

ip access-list extended ACL_HTTP
 permit tcp any host 1.1.1.1 eq www
!
class-map type inspect match-any CM_HTTP
 match access-group name ACL_HTTP

In order to actually deny the traffic, you have to specify a drop in the policy map.

policy-map PM_HTTP
 class CM_HTTP
  inspect
 class class-default
  drop

To illustrate the point a bit further, let's say you were going to allow HTTP and HTTPS with two ACLs and did it like this:

ip access-list extended ACL_HTTP
 permit tcp any host 1.1.1.1 eq www
!
ip access-list extended ACL_HTTPS
 permit tcp any host 1.1.1.1 eq 443
!
class-map type inspect match-any CM_HTTP
 match access-group name ACL_HTTP
 match access-group name ACL_HTTPS
!
policy-map PM_HTTP
 class CM_HTTP
  inspect
 class class-default
  drop

In the above case, HTTP traffic to 1.1.1.1 is a hit on ACL_HTTP's permit statement, is matched by the class map and is inspected by the policy map. HTTPS traffic to 1.1.1.1 is a hit on ACL_HTTPS's permit statement, is likewise matched by the class map and is inspected by the policy map. The implicit deny statements (and any other deny statements you may add) only ensure that the packet doesn't match that element of the class map and doesn't prevent it from being matched against another.

2 REPLIES

When using ACLs in a class

When using ACLs in a class map, a permit entry causes the ACL condition to match and a deny entry does not. So, for your ACL "permit tcp any host 1.1.1.1 eq www", any HTTP traffic to 1.1.1.1 on 80/tcp will be matched by the class map and the implicit "deny ip any any" will not be matched. There is no action implied by the ACL when used this way, only a match or no match.

ip access-list extended ACL_HTTP
 permit tcp any host 1.1.1.1 eq www
!
class-map type inspect match-any CM_HTTP
 match access-group name ACL_HTTP

In order to actually deny the traffic, you have to specify a drop in the policy map.

policy-map PM_HTTP
 class CM_HTTP
  inspect
 class class-default
  drop

To illustrate the point a bit further, let's say you were going to allow HTTP and HTTPS with two ACLs and did it like this:

ip access-list extended ACL_HTTP
 permit tcp any host 1.1.1.1 eq www
!
ip access-list extended ACL_HTTPS
 permit tcp any host 1.1.1.1 eq 443
!
class-map type inspect match-any CM_HTTP
 match access-group name ACL_HTTP
 match access-group name ACL_HTTPS
!
policy-map PM_HTTP
 class CM_HTTP
  inspect
 class class-default
  drop

In the above case, HTTP traffic to 1.1.1.1 is a hit on ACL_HTTP's permit statement, is matched by the class map and is inspected by the policy map. HTTPS traffic to 1.1.1.1 is a hit on ACL_HTTPS's permit statement, is likewise matched by the class map and is inspected by the policy map. The implicit deny statements (and any other deny statements you may add) only ensure that the packet doesn't match that element of the class map and doesn't prevent it from being matched against another.

New Member

Thanks that was crystal clear

Thanks that was crystal clear.

1376
Views
0
Helpful
2
Replies
CreatePlease to create content