About Configuring Sources in Private Access Rules
The Cisco Secure Access policy is a collection of your access rules and rule settings. Private access rules include source components and have security controls and intrusion prevention system (IPS) settings that manage the security of the traffic in your organization. Registered Networks and Network Tunnel Groups acquire and manage the private traffic in your organization.
You can add pre-configured source components or enter multiple IP addresses, CIDR blocks, or wildcard masks for a source in a private access rule. This guide describes the configuration options for source components.
Table of Contents
- Source Components for Private Access Rules
- Composite Sources for Private Access Rules
- Use Wildcard Masks in Composite Sources
- Combining Multiple Sources in a Rule (Boolean Logic)
Source Components for Private Access Rules
- The Select All option selects all existing items in the group, but does not include items added to the group in future.
- When you select Network Tunnel Groups, Secure Access secures and controls traffic from IPsec tunnels established by your supported network devices. If you need to know what tunnels are included in a group, navigate to Connect > Network Connections > Network Tunnel Groups and look at the group configuration.
Composite Sources for Private Access Rules
You can define a source using multiple network address components. A composite source accepts IP addresses, CIDR blocks, and wildcard masks directly in a private access rule.
Note: If you will allow access from a branch network, and you specify users or user groups, you must also configure SAML authentication for those users.
Limitations of Composite Sources
- Private Access rules with composite sources only support the Allow and Block actions.
- Composite sources do not include ports or protocols.
IP Addresses, CIDR Blocks, and Wildcard Masks
- Sources accept public IPv4 addresses and private non-routable IPs (RFC-1918 compliant). You may add public IPs for Registered Networks in Secure Access.
- Sources accept CIDR blocks.
- Sources do not require a deployed IPsec tunnel for the source IP addresses.
- Sources only accept valid IPv4 addresses.
- For information about wildcard masks, see Use Wildcard Masks in Composite Sources.
Add Composite Sources
Add composite sources in private access rules.
-
Navigate to Secure > Access Policy > Add Rule > Private Access.
-
Navigate to Specify Access and then click on the search bar under From.
-
Click Add a source and then enter an IPv4 address or CIDR block, or an IPv4 address or CIDR block with a wildcard mask.
For Wildcard Mask, use this format:
<IP address or CIDR block>/<Wildcard Mask>.
After you add a composite source, click +1More to view the list of sources that you added to the rule.
Combining IPs, CIDRs, or Wildcard Masks on a Source
When you add various network address components for a source on a rule, Secure Access creates a single source entry. You can add multiple composite sources on a rule.
- The IPs, CIDR blocks, and wildcard masks that you add to the source are OR'ed together.
For example:
<IP address One> OR <CIDR block ONE> OR <IP address Three>
Use Wildcard Masks in Composite Sources
A wildcard mask is a set of bits that describes the parts of an IPv4 address. You can add a wildcard mask for a composite source in a private access rule to allow or block a range of sources.
If the traffic matches the wildcard mask set in the source, Secure Access routes the traffic from the source.
Guidelines
- Secure Access supports IPv4 32-bit wildcard masks only.
- Secure Access accepts valid wildcard masks only.
- If the bit value on the position in the wildcard mask is zero (0), then the bit value on the position in the IPv4 address must match.
- If the bit value on the position in the wildcard mask is one (1), then the bit value on the position in the IPv4 address is ignored.
Examples of Wildcard Masks
| Wildcard Mask | Bits in IPv4 Address | Description |
|---|---|---|
| 0.0.0.63 | 00000000 00000000 00000000 00111111 | Match the first three octets. Match the two leftmost bits of the last octet. Ignores the last six bits. |
| 0.0.0.254 | 00000000 00000000 00000000 11111110 | Match the first three octets. Match the rightmost bit of the last octet. Ignores the first seven bits. |
| 0.0.0.255 | 00000000 00000000 00000000 11111111 | Match the first three octets. Ignores the last octet. |
Combining Multiple Sources in a Rule (Boolean logic)
If a private access rule includes multiple sources, the following boolean logic applies:
- All types of sources, and all sources within a type, are treated as using the boolean OR operator. Traffic to each source that you specify in a rule matches the rule.
- For example, if you specify a user group and a network tunnel group as sources, traffic from any member of either group matches the rule.
Add a Private Access Rule< About Configuring Sources in Private Access Rules > About Configuring Destinations in Private Access Rules
Updated 2 days ago