About Configuring Sources in Private Access Rules
The Cisco Secure Access policy is a collection of your access rules and rule settings. Private access rules include source components and have security controls and intrusion prevention system (IPS) settings that manage the security of the traffic in your organization. Registered Networks and Network Tunnel Groups acquire and manage the private traffic in your organization.
You can add pre-configured source components or enter multiple IP addresses, CIDR blocks, or wildcard masks for a source in a private access rule. This guide describes the configuration options for source components.
Table of Contents
- Source Components for Private Access Rules
- Composite Sources for Private Access Rules
- Combining Multiple Sources in a Rule (Boolean Logic)
Source Components for Private Access Rules
- The Select All option selects all existing items in the group, but does not include items added to the group in future.
- When you select Network Tunnel Groups, Secure Access secures and controls traffic from IPsec tunnels established by your supported network devices. If you need to know what tunnels are included in a group, navigate to Connect > Network Connections > Network Tunnel Groups and look at the group configuration.
Composite Sources for Private Access Rules
You can define a source using multiple network address components. A composite source accepts IP addresses, CIDR blocks, and wildcard masks directly in a private access rule.
Note: If you will allow access from a branch network, and you specify users or user groups, you must also configure SAML authentication for those users.
Limitations of Composite Sources
- Private Access rules with composite sources only support the Allow and Block actions.
- Composite sources do not include ports or protocols.
IP Addresses, CIDR Blocks, and Wildcard Masks
- Sources accept public IPv4 addresses and private non-routable IPs (RFC-1918 compliant). You may add public IPs for Registered Networks in Secure Access.
- Sources accept CIDR blocks.
- Sources do not require a deployed IPsec tunnel for the source IP addresses.
- Sources only accept valid IPv4 addresses.
For information about wildcard masks, see Using Wildcard Masks on Access Rules.
Adding Composite Sources
You can enter a single IPv4 address, CIDR block, or wildcard mask on a private access rule.
Important: Secure Access does not support a comma-separated list of wildcard masks.
For more information, see Add a Private Access Rule—Composite Sources .
Combining IPs, CIDRs, or Wildcard Masks on a Source
When you add various network address components for a source on a rule, Secure Access creates a single source entry. You can add multiple composite sources on a rule.
- The IPs, CIDR blocks, and wildcard masks that you add to the source are OR'ed together.
For example:
<IP address One> OR <CIDR block ONE> OR <IP address Three>
Combining Multiple Sources in a Rule (Boolean logic)
If a private access rule includes multiple sources, the following boolean logic applies:
- All types of sources, and all sources within a type, are treated as using the boolean OR operator. Traffic to each source that you specify in a rule matches the rule.
- For example, if you specify a user group and a network tunnel group as sources, traffic from any member of either group matches the rule.
Add a Private Access Rule< About Configuring Sources in Private Access Rules > About Configuring Destinations in Private Access Rules
Updated about 2 months ago