Guides
Secure Access Help Center

About Configuring Sources in Internet Access Rules

The Cisco Secure Access policy is a collection of an organization's internet and private access rules. On internet rules, you can add source and destination components.

Sources on internet rules are either pre-configured or composite components. Source components such as Registered Networks and Network Tunnel Groups acquire and manage the web traffic in your organization.

Composite sources may include an IP address, CIDR block, or wildcard mask.

This guide describes the configuration options for source components on internet Access rules.

Table of Contents

Source Components for Internet Access Rules

You should pre-configure sources for internet access rules. For more information, see Source Components for Internet Access Rules.

If you see an option to "Select All", this selects all existing items in the group at the time you select it, but the rule will not include items added to the group in future.

If you select Network Tunnel Groups, Secure Access secures and controls access from traffic from IPsec tunnels established by your supported network devices. If you need to know what tunnels are included in a group, navigate to Connect > Network Connections > Network Tunnel Groups and look at the group configuration.

If you select a network tunnel group, the destination also includes IP addresses configured in the network tunnel group for routing, in addition to all associated Internal Networks. IP addresses include routes advertised using Border Gateway Protocol, if that option is selected in the network tunnel group configuration.

Composite Sources for Internet Access Rules

You can define a source using multiple network address components. A composite source accepts IP addresses or CIDR blocks. You can also add an IP address with a wildcard mask directly in an internet access rule.

Limitations of Composite Sources in Internet Rules

  • Internet rules with composite sources only support the Allow and Block actions.
  • Composite sources do not include ports or protocols.

IP Addresses, CIDR Blocks, and Wildcard Masks

  • Sources accept valid public IPv4 addresses, private non-routable IPs (RFC-1918 compliant), CIDR blocks, or wildcard masks.
    • You may add public IPs for Registered Networks in Secure Access.
  • IP addresses do not require a deployed IPsec tunnel.

For information about wildcard masks, see Using Wildcard Masks on Access Rules.

Adding Composite Sources

You can enter a single IPv4 address, CIDR block, or wildcard mask on an internet access rule.

Important: Secure Access does not support a comma-separated list of wildcard masks.

For more information, see Add an Internet Access Rule—Composite Sources .

Combining IPs, CIDRs, or Wildcard Masks on a Source

When you add various network address components for a source on a rule, Secure Access creates a single source entry. You can add multiple composite sources on a rule.

  • The IPs, CIDR blocks, and wildcard masks that you add to the source are OR'ed together.

For example:

<IP address One> OR <CIDR block ONE> OR <IP address Three>

Combining Multiple Sources in a Rule (Boolean logic)

If an internet rule includes multiple sources, the following boolean logic applies:

  • All types of sources, and all sources within a type, are treated as using the boolean OR operator. Traffic to each source that you specify in a rule matches the rule.
    • For example, if you specify a user group and a network tunnel group as sources, traffic from any member of either group matches the rule.

Add an Internet Access Rule < About Configuring Sources in Internet Access Rules > About Configuring Destinations in Internet Access Rules

Updated 24 days ago