Access Rules with Network and Service Objects

Cisco Secure Access supports adding Network and Service Objects on the internet and private access rules in the Access policy. For more information, see Add an Internet Access Rule and Add a Private Access Rule.

This guide describes the best practices to use when selecting Network and Service Objects and Groups on access rules.

Table of Contents

About Network or Service Objects in Access Rules

Once you add the Network Objects and Groups and Service Objects and Groups in Secure Access, you can select the objects and groups on the access rules in the Access policy.

Supported Source Components in Access RulesSupported Destination Components in Access Rules
Network Objects and Network Object GroupsNetwork Objects and Network Object Groups
Service Objects and Service Object Groups

Internet or Private Access Rules

  • For the sources in an access rule, Secure Access combines all selected sources together with the OR operator when enforcing the rule.
  • For the destinations in an access rule, Secure Access combines all selected destinations together with the OR operator when enforcing the rule.
    • (Optional) For the destinations in an access rule, Secure Access can combine the selected Network Objects with the Service Objects into a single destination using the logical AND operator.
  • Service Objects and Groups are available only on destination components in access rules.

Using Network Objects for Sources in Access Rules

You can select Network Objects for sources on the internet and private access rules in the Access policy. Sources are the From side of the access rule in the Access policy.

  • You can select at most 10 Network Objects for a source or destination in an internet or private access rule.
  • You can select at most 10 Network Object Groups for a source or destination in an internet or private access rule where each group has no more 50000 objects in the group.
  • Sources that have Network Objects with an fully-qualified domain name (FQDN) are ignored and Network Groups that include Network Objects with an FQDN are also ignored. If access rules have other sources selected besides the Network Objects with an FQDN, Secure Access enforces the rule for those sources.
    Note: Secure Access displays a warning message that the access rule will ignore the Network Object or Group with an FQDN.

Using Network and Service Objects for Destinations in Access Rules

You can select Network and Service Objects for destinations on the internet and private access rules in the Access policy. Destinations are the To side of the access rule on the Access policy.

  • You can select at most 10 Network Objects and 10 Service Objects for a destination in an internet or private access rule.
  • You can select at most 10 Network Groups and 10 Service Groups for a destination in an internet or private access rule where each group has no more 50000 objects in the group.
  • A VPN profile that includes the configuration of a VPN split tunnel supports Network Objects only.
  • To select Network Objects and Service Objects in a rule, the rule must have either the allow or block action.
  • You can use logical AND to combine Network Objects and Groups and Service Objects and Groups for destinations on both internet and private access rules in the Access policy.

Quickstart: Network and Service Objects < Access Rules with Network and Service Objects > Combine Destinations with Boolean Logic