Solved: Configuring Control Plane ACL on ASA

SATORU SAEGUSA · ‎08-02-2012

Hello,

I configure a control plane ACL to a outside interface for limiting AnyConnect access on ASA 5520, will enter the following commands on the device:

! interface GigabitEthernet0/0
! nameif outside
! security-level 0
! ip address 1.2.3.4 255.255.255.252

access-list LimitingAnyConnect extended permit tcp host 5.6.7.8 host 1.2.3.4 eq https
access-group LimitingAnyConnect in interface outside control-plane

Does this configuration allow ONLY 5.6.7.8 to connect AnyConnect on the device?
Should I add the following ACL?

access-list LimitingAnyConnect extended deny tcp any host 1.2.3.4 eq https

Thank you for your cooperation in advance.

Jennifer Halim · ‎08-03-2012

No, you don't need to specify the "deny" access-list because by implicit rule is deny ip any any if you have configured an access-list on the interface.

View solution in original post

Jennifer Halim · ‎08-03-2012

No, you don't need to specify the "deny" access-list because by implicit rule is deny ip any any if you have configured an access-list on the interface.

john thoren · ‎03-22-2023

According to this doc, https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/firewall/asa-96-firewall-config/access-rules.html#ID-2124-0000003d

There is no implicit deny at the end of control plane acls. The doc says:

"For management (control plane) ACLs, which control to-the-box traffic, there is no implicit deny at the end of a set of management rules for an interface. Instead, any connection that does not match a management access rule is then evaluated by regular access control rules."