About Configuring Sources in Internet Access Rules

The Cisco Secure Access policy is a collection of your access rules and rule settings. On internet rules, you can configure DNS and Web security and intrusion prevention system (IPS) settings for the source network components in your organization to reach internet destinations securely. Registered Networks and Network Tunnel Groups acquire and manage the web traffic in your organization.

An internet rule includes source components. You can add pre-configured source components or enter multiple IP addresses and CIDR blocks on a source on an internet rule. This guide describes the configuration options for source components.

Table of Contents

Source Components for Internet Access Rules

You should pre-configure sources for internet access rules. For more information, see Source Components for Internet Access Rules.

If you see an option to "Select All", this selects all existing items in the group at the time you select it, but the rule will not include items added to the group in future.

If you select Network Tunnel Groups, Secure Access secures and controls access from traffic from IPsec tunnels established by your supported network devices. If you need to know what tunnels are included in a group, navigate to Connect > Network Connections > Network Tunnel Groups and look at the group configuration.

If you select a network tunnel group, the destination also includes IP addresses configured in the network tunnel group for routing, in addition to all associated Internal Networks. IP addresses include routes advertised using Border Gateway Protocol, if that option is selected in the network tunnel group configuration.

Composite Sources for Internet Access Rules

You can define a source from multiple network address components. A composite source accepts IP addresses and CIDR blocks directly in an internet rule.

Limitations of Composite Sources in Internet Rules

  • Internet rules with composite sources only support the Allow and Block actions.
  • Composite sources do not include ports or protocols.

IP Addresses and CIDR Blocks

  • Sources accept public IPs and private non-routable IPs (RFC-1918 compliant). You may add public IPs for Registered Networks in Secure Access.
  • Sources accept CIDR blocks.
  • Sources do not require a deployed IPsec tunnel for the source IP addresses.
  • Sources only accept valid IP addresses.

Add Composite Sources

  1. Navigate to Secure > Access Policy > Add Rule > Internet Access.
  2. Navigate onto From, click Add a source and then enter IP addresses or CIDR blocks.

After you add a network address or range, click +1More to view the list of sources that you added to the rule.

Combining IPs or CIDRs on a Source

When you add various network address components for a source on a rule, Secure Access creates a single source entry. You can add multiple composite sources on a rule.

  • The IPs and CIDR blocks added to the source are OR'ed together.

For example:

<IP address One> OR <CIDR block ONE> OR <IP address Three>

Combining Multiple Sources in a Rule (Boolean logic)

If an internet rule includes multiple sources, the following boolean logic applies:

  • All types of sources, and all sources within a type, are treated as using the boolean OR operator. Traffic to each source that you specify in a rule matches the rule.
    • For example, if you specify a user group and a network tunnel group as sources, traffic from any member of either group matches the rule.

Add an Internet Access Rule< About Configuring Sources in Internet Access Rules > About Configuring Destinations in Internet Access Rules