About Configuring Destinations in Internet Access Rules

The Cisco Secure Access policy is a collection of your access rules and rule settings. On internet rules, you can configure DNS and Web security and intrusion prevention system (IPS) settings for the network components in your organization to reach internet destinations securely.

An internet rule includes destination components. You can add pre-configured destination components or create composite destinations from IP addresses, ports, and transport protocols on an internet rule. This guide describes the configuration options for destination components.

Table of Contents

Destination Components for Internet Access Rules

  • You should pre-configure destinations that you can select in internet access rules. For descriptions and links to configuration instructions for each component type, see Components for Internet Access Rules.
  • You can also specify web sites by their content category, or specify individual web applications or categories of web application without creating content category lists or application lists, by choosing Content Categories or Application Categories.
  • Depending on the destinations you select (for example certain applications, application lists, or application categories) other options may appear in the rule.
  • If you see an option to "Select All", this selects all existing items in the group at the time you select it, but the rule will not include items added to the group in future
  • When you select a list or group, entities that are added to the list or group in the future are automatically included. For example, if you select a Destination List, any destinations that you add to that destination list later are automatically included.
  • If this rule involves tenant controls, you must include the relevant application as a destination in the rule, as well as configuring the applicable tenant control profile and specifying that profile in the Security Controls section of the rule. For more information, see Manage Tenant Control Profiles.
  • When specifying applications, it is not possible to search for an application with fewer than three letters in its name—for example, "QQ" or "YY". You must pick the applications manually from the tree under their respective categories or use a wildcard in search—for example, "QQ*". This behavior is by design.

Composite Destinations for Internet Access Rules

You can define a destination from multiple network address components. A composite destination accepts IP addresses or CIDR blocks, ports 80 and 443 for web traffic or all ports on non-web traffic, and the TCP, UDP, and ICMP transport protocols. You can choose ANY to select all available protocols on a destination.

This option is useful if you need to quickly address a specific issue that arises, for example to immediately allow access to a necessary destination that is being blocked by another rule, or to immediately block access to a problem destination.

Limitations of Composite Destinations

  • Internet rules with composite destinations only support the Allow and Block actions.
  • Composite destinations do not accept private non-routable IP addresses.

IP Addresses and CIDR Blocks

  • Destinations accept valid public IP addresses and CIDR blocks.


  • Destinations accept ports 80 and 443 only for web traffic and all ports or port ranges for non-web traffic.


  • Destinations accept the TCP transport protocol. If you select TCP, the rule applies to web traffic and is protected by the secure web gateway.
  • Destinations accept the UDP or ICMP protocols. If you select UDP or ICMP, the rule applies to non-web traffic and is protected by the IPS.
  • For the protocol on the destination, you can choose ANY. If you select ANY, the rule applies to traffic on the TCP, UDP, and ICMP protocols. The traffic is protected by the secure web gateway.

Add Composite Destinations

  1. Navigate to Secure > Access Policy > Add Rule > Internet Access.
  2. Navigate onto To, click Add a destination and then enter IP addresses or CIDR blocks, choose a protocol or ANY, enter a port or range of ports separated by a hyphen (-).

After you add a composite destination, click +1More to view the list of destinations that you added to the rule.

Combining Destination Components as a Single Destination

When you add individual network address components on a destination, Secure Access combines the field values to create a single destination entry. You can add multiple composite destinations on a rule.

  • The ports added to the destination are OR'ed together. The rule applies to traffic on ports 80 or 443.
  • The protocols added to the destination are OR'ed together. The rule applies to traffic on the selected protocols.
  • The individual network component field values that you enter for Ports, Protocols, and IPs or CIDRs are AND'ed together to create a single destination. The rule applies to the traffic on the composite destination.

Note: You are not required to choose an IP, protocols, or ports to add a composite destination. Instead, you can choose the ANY protocol to define a destination that matches traffic on any IP or CIDR, with any port, on the available destination protocols.

Combining Multiple Destinations in a Rule (Boolean Logic)

If an internet access rule includes multiple destinations, the following boolean logic applies:

  • All types of destinations, and all destinations within a type, are treated as using the boolean OR operator. Traffic to each destination that you specify in a rule matches the rule.
    • For example, if you specify a content category and an application list as destinations in a single rule, traffic to any destination that is a member of either group will match the rule.
  • If you specify ANY for the protocol, then all traffic on the protocols (TCP, UDP, ICMP) supported by internet rules matches the rule, regardless of any other destinations that you specify.

Number of Destinations in a Rule

You can include up to 5000 destinations in an internet access rule. However, for optimal performance, include no more than 100 destinations in a rule.

About Configuring Sources in Internet Access Rules < About Configuring Destinations in Internet Access Rules > Block Internet Access to Geographic Locations