About Configuring Destinations in Private Access Rules
The Cisco Secure Access policy is a collection of your access rules and rule settings. Private access rules include destination components and have security controls and intrusion prevention system (IPS) settings that manage the security of the traffic in your organization.
In a private access rule, you can add pre-configured destination components or create composite destinations from IP addresses, CIDR blocks, or wildcard masks, ports, and transport protocols. This guide describes the configuration options for destination components.
Table of Contents
- Destination Components for Private Access Rules
- Composite Destinations for Private Access Rules
- Use Wildcard Masks in Composite Destinations
- Combining Multiple Destinations in a Rule (Boolean Logic)
Destination components for Private Access Rules
- When you select a Private Resource Group, resources that are added to the group in the future are automatically included.
- The Select All option selects all existing items in the group, but does not include items added to the group in future.
- All configured private resources allow connections from authenticated users on the network, including branch networks.
- For each resource, Zero trust (client-based and browser-based) and VPN connections are determined by the private resource configuration.
Composite Destinations for Private Access Rules
You can define a destination using multiple network address components. All destinations allow connections from authenticated users on the network, including branch networks.
Composite destinations are useful if you need to quickly address a specific issue that arises, for example to immediately allow access to a destination that is being blocked by another rule, or to immediately block access to a problem destination.
Zero-trust connections are not available for destinations that are not configured as private resources.
Private access rules with composite destinations only support the Allow and Block actions.
Important
Security controls do not apply to traffic for destinations added directly into a rule.
- Endpoint posture requirements
- Intrusion prevention (IPS)
If destinations include both configured private resources or groups and destinations typed directly into a rule, security controls are applied only to the configured private resources or groups.
IP Addresses, CIDR Blocks, and Wildcard Masks
- Destinations accept valid IPv4 addresses, CIDR blocks, and wildcard masks.
- For information about wildcard masks, see Use Wildcard Masks for Composite Destinations.
Ports
- Destinations accept all ports or port ranges for traffic to private destinations.
Protocols
- Destinations accept the TCP, UDP or ICMP protocols.
- For the protocol on the destination, you can choose ANY. If you select ANY, the rule applies to traffic on the TCP, UDP, and ICMP protocols.
Add Composite Destinations
Add composite destinations in private access rules.
-
Navigate to Secure > Access Policy > Add Rule > Private Access.
-
Navigate to Specify Access and then click on the search bar under To.
-
Click Add a destination, and then enter an IPv4 address or CIDR block, or an IPv4 address or CIDR block with a wildcard mask.
For Wildcard Mask, use the format:
<IP address or CIDR block>/<Wildcard Mask>.
-
Choose a protocol or ANY, and enter a port or range of ports separated by a hyphen (-).
-
Click Add.
After you add a composite destination, click +1More to view the list of destinations that you added to the rule.
Combining Destination Components as a Single Destination
When you add individual network address components on a destination, Secure Access combines the values to create a single destination entry. You can add multiple composite destinations on a rule.
- The ports added to the destination are OR'ed together.
- The protocols added to the destination are OR'ed together. The rule applies to traffic on the selected protocols.
- The individual network component field values that you enter for Ports, Protocols, and IPs or CIDRs are AND'ed together to create a single destination. The rule applies to the traffic on the composite destination.
Note: You are not required to choose an IP, protocols, or ports to add a composite destination. Instead, you can choose the ANY protocol to define a destination that matches traffic on any IP or CIDR, with any port, on the available destination protocols.
Use Wildcard Masks in Composite Destinations
A wildcard mask is a set of bits that describes the parts of an IPv4 address. You can add a wildcard mask for a composite destination in a private access rule to allow or block a range of destinations.
If the traffic matches the wildcard mask, Secure Access routes the traffic to the private destination. The bits on the wildcard mask determine whether to permit access to the private destination.
Guidelines
- Secure Access supports IPv4 32-bit wildcard masks only.
- Secure Access accepts valid wildcard masks only.
- If the bit value on the position in the wildcard mask is zero (0), then the bit value on the position in the IPv4 address must match.
- If the bit value on the position in the wildcard mask is one (1), then the bit value on the position in the IPv4 address is ignored.
Examples of Wildcard Masks
| Wildcard Mask | Bits in IPv4 Address | Description |
|---|---|---|
| 0.0.0.63 | 00000000 00000000 00000000 00111111 | Match the first three octets. Match the two leftmost bits of the last octet. Ignores the last six bits. |
| 0.0.0.254 | 00000000 00000000 00000000 11111110 | Match the first three octets. Match the rightmost bit of the last octet. Ignores the first seven bits. |
| 0.0.0.255 | 00000000 00000000 00000000 11111111 | Match the first three octets. Ignores the last octet. |
Combining Multiple Destinations in a Rule (Boolean Logic)
If a private access rule includes multiple destinations, the following boolean logic applies:
- All types of destinations, and all destinations within a type, are treated as using the boolean OR operator. Traffic to each destination that you specify in a rule matches the rule.
- For example, if you specify a content category and an application list as destinations in a single rule, traffic to any destination that is a member of either group will match the rule.
- If you specify ANY for the protocol, then all traffic on the protocols (TCP, UDP, ICMP) supported by the private access rule matches the rule, regardless of any other destinations that you specify.
About Configuring Sources in Private Access Rules< About Configuring Destinations in Private Access Rules > Display a Notification for Blocked Private Destinations
Updated 2 days ago