Destination Alias
- Network aliases can reference internal networks, groups of servers, or external servers.
Example Destination Aliases
- Create the network destination rule.
netdestination corp-internal
network 10.15.0.0 255.255.254.0
network 10.15.2.0 255.255.255.0
network 10.15.3.0 255.255.255.128
network 10.15.3.128 255.255.255.192
network 10.15.3.192 255.255.255.224
network 10.15.3.224 255.255.255.224
- Create a firewall policy/rule that allows full access to the internal servers using an alias.
ip access-list session ACL-PERMIT-INTERNAL-NETWORKS
user alias corp-internal any permit
- Associate the new policy with the existing user role.
user-role USER-ROLE-EMPLOYEE-1
access-list session ACL-DENY-COMPANY-SECURITY-POLICY-EXAMPLE
access-list session ACL-EMPLOYEE-VOICE
access-list session ACL-DENY-CLIENT-AS-DHCP-SERVER
access-list session ACL-PERMIT-INTERNAL-NETWORKS
access-list session allowall
A quick note about positioning.
- Firewall rules are processed from top to bottom.
- Positioning of rules is extremely important.
- You can use the “position” keyword to insert a rule into the desired location in numerical order.
- Position number 1 is reserved for the “Global Session ACL,” and position number 2 is reserved for the role “default session.”
Example:
access-list session ACL-PERMIT-INTERNAL-NETWORKS position 1
Position 1 and 2 are reserved for Global and Role default session ACLs.
access-list session ACL-PERMIT-INTERNAL-NETWORKS position 2
Position 1 and 2 are reserved for Global and Role default session ACLs.
Look at the original rule and start counting from “3”
Original Rule:
user-role USER-ROLE-EMPLOYEE-1
access-list session ACL-DENY-COMPANY-SECURITY-POLICY-EXAMPLE
access-list session ACL-EMPLOYEE-VOICE
access-list session ACL-DENY-CLIENT-AS-DHCP-SERVER
access-list session allowall
Command
access-list session ACL-PERMIT-INTERNAL-NETWORKS position 6
New Rule:
user-role USER-ROLE-EMPLOYEE-1
access-list session ACL-DENY-COMPANY-SECURITY-POLICY-EXAMPLE
access-list session ACL-EMPLOYEE-VOICE
access-list session ACL-DENY-CLIENT-AS-DHCP-SERVER
access-list session ACL-PERMIT-INTERNAL-NETWORKS
access-list session allowall
Wildcard character
In some cases, it is more efficient to utilize the wildcard character in rules. The “*” wildcard is a versatile tool for performing searches and matching patterns with variable or unknown content. It allows you to find and manipulate data efficiently in various computing contexts.
netdestination wildcard-example
name *.example.com
name *.app.example
name *servers.app.example
Note: The Aruba WLC must be able to resolve DNS queries when using netdestination rules that contain URLs or domain names.
cd /mm/mynode
ip name-server 4.2.2.1