Add a Private Access Rule

Cisco Secure Access connects users, devices, both public and branch networks, and network tunnels to private resources in your enterprise. Private resources are applications and services that you deploy on your enterprise's infrastructure or private cloud. When you add a private resource to your organization, Secure Access enables Branch network connections to the resource.

Once you add your sources and private resources to Secure Access, you can create private access rules with these source and destination components. For more information, see Components for Private Access Rules.

In a private access rule, add the source or destination components that you configured for your organization. You can also enter sources and destinations directly into your rules. These single-use source and destination components are only available on an access rule, not shared by your policy.

The access rule defines the Action, Source, Security Controls, and Destinations for the rule. In your private access rule's Security Controls, Secure Access provides a default Intrusion Prevention System (IPS) profile. You can configure and apply other IPS profiles for your Branch networks to Private Resources rules. For more information, see Manage Private Access Rules.

Table of Contents

• Prerequisites
• Set Up the Private Access Rule
• Step 1 — Specify Access Options
• Step 2 — Configure Security Control Options

Prerequisites

• Full Admin user role. For more information, see Manage Accounts.

• Add sources to your organization. For more information, see Components for Private Access Rules.

• Add Private Resources to your organization. For more information, see Add a Private Resource.

• Edit Default Settings for Private Access Rules.

Set Up the Private Access Rule

1. Navigate to Secure > Access Policy.

2. Click Add Rule, and then choose Private Access.
   At the top of the rule is a summary that describes the configured components of your rule.

Enable the Rule and Edit Your Logging Settings

1. Toggle the rule to enable it. After you configure and save the rule to your policy, the rule is enabled.
   You can toggle off the rule at any time to disable it.

2. Click Edit to manage your logging settings on the access rule.

   a. For Log Request, toggle off or on to choose whether Secure Access logs the events for the traffic managed by the access rule.

b. For Log Only Security Events, select whether Secure Access logs the events that match the security filters. For more information, see Manage Logging.

Add a Rule Name

1. For Rule name, add a meaningful name for your access rule.
   The Rule name is required. You must give your rule a name before you can continue to configure the Security Controls on the access rule.
   Note: The Next button on the access rule is not available until you enter a name for the rule.

Choose a Rule Order

1. For Rule order, choose a new priority for the rule, or keep the rule order assigned to the rule by Secure Access.
   When you add a new rule, Secure Access assigns the next lowest priority to the rule. Secure Access applies the first rule in the list on the Access Policy page that matches the traffic. Order your rules so that more specific rules that might apply to the traffic are above more general rules. For more information, see Edit the Order of Rules on the Access Policy Page.

Step 1 — Specify Access Options

• Rule Action
• Sources
• Destinations
• Endpoint Requirements
• User Authentication Requirements

Rule Action

1. Choose Allow or Block to assign how Secure Access applies the configured components in the access rule. Note: Secure Access blocks the traffic in your organization to private destinations unless an access rule allows the connections.

Note: When the action is Allow and the traffic does not pass the security controls defined in the rule, Secure Access blocks the traffic.

Sources

We recommend that you use your organization's reusable source components in your access rules. For more information, see Components for Private Access Rules: Sources.

Note: The connection methods for a destination depend on the type of sources that you choose.
If you select Users or User Groups, you can choose destinations enabled for virtual private networks (VPNs) and Zero Trust Access connections, not Branch connections.

1. For Select sources, click in the white space beside the default value ("Any") and choose the configured source components in your organization. When you finish choosing your sources, click Done.

2. For Add a source, enter an IP or CIDR address as network connection source in the access rule, and then click Add. When you finish adding your sources, click Done.

For more information, see About Configuring Source in Private Access Rules.

Note: The arrows out icon opens a window to configure the sources in your rule.

Destinations

We recommend that you use your organization's configured destination components in your access rules.For more information, see Components for Private Access Rules: Destinations.

1. For Select destinations, click in the white space beside the default value ("Any") and choose the configured Private Resource Groups and Private Resources in your organization. When you finish choosing your private resources, click Done.
   Note: The arrows out icon opens a window to configure the destinations in your rule.
   1. For each Private Resource, hover over the network connections icons.
      Secure Access describes the type of network connections supported by the private destination.

2. For Add a destination, select Port, IP/CIDR Address, and Protocol. Choose from one of the supported protocols: Any, TCP, UDP, or ICMP. After each selection, click Add. When you finish adding the attributes of the private destination, click Done.

To allow VPN access to a private resource, specify its IP or CIDR address, subnet, port, or protocol with the Add a destination option.

Note: You might use this option to allow users from one branch to access private applications in another branch.
Destinations that you enter manually are not reusable in another access rule.

For more information, see About Configuring Destinations in Private Access Rules.

Endpoint Requirements

Branch connections to private destinations do not require additional configuration. For important information about endpoint requirements and traffic handling, see About Endpoint Requirements in Access Rules.

For general information about posture profiles, see Manage Endpoint Security.

User Authentication Requirements

For Zero Trust Access: User Authentication Interval, toggle on or off whether Secure Access prompts users to authenticate before connecting to private destinations.
When Zero Trust Access: User Authentication Interval is enabled, you can set the interval when Secure Access requests that you authenticate.

This setting determines how often users must sign in to the network in order to make a Zero Trust connection to a private resource specified as a destination in this rule. Users are prompted to sign in only once per interval if they try to connect to a resource during that time, regardless of the private resources they access.

This option appears only if destinations include at least one private resource.

You can use the default interval as configured on the Rule Defaults page or specify a different interval.

For more information, see Network Authentication for Zero Trust Access.

Step 2 — Configure Security Control Options

Intrusion prevention is the only security control option needed for private access rules.

Intrusion Prevention (IPS)

1. Use the default IPS profile as specified on the Rule Defaults page, or choose a different IPS profile that includes the threat detection settings that you want applied to traffic that matches this rule.
2. Click Save.

Note: We recommend that you do not disable your IPS Profiles. For more information, see Manage IPS Profiles.

Summary

After you add a rule to your policy, you can edit the rule and then view the rule summary.

1. Navigate to Secure > Access Policy.
2. Navigate to a rule, and then click on the horizontal elipsis (...) to expand the rule menu.

3. Click Edit to open the rule and view the rule summary.

The summary contains the components that you configured on the access rule:

• Sources
• Action
• Security Controls
• Destinations

If you see an Upgrade button, this means that your organization has an opportunity to upgrade to a subscription that offers additional functionality. For more information, see Contact Cisco Secure Access Support.

---

Default Settings for Private Access Rules< Add a Private Access Rule > About Configuring Sources in Private Access Rules