Create the Cisco extended ACL
An extended ACL is an ordered list of statements that can deny or permit packets based on source and destination IP address, port numbers and upper-layer protocols.
This ACL is a sample of the type of ACL you might create to work in conjunction with your FortiNAC software and its CLI configurations. Be sure that you know the IP address of the FortiNAC appliance and the IP range of the DHCP scope for your hosts. Log into the device and create an extended access list.
All information in an ACL is case sensitive. |
Example
Configure term
ip access-list extended Nac
500 permit udp 192.168.34.0 0.0.0.255 host 192.168.105.2 eq 4567
501 deny ip 192.168.34.0 0.0.0.255 host 192.168.105.2
502 permit ip any any
end
write memory
Settings
Command |
Definition |
Data From Example |
---|---|---|
ip access list extended |
Indicates the type of ACL and the user specified name of the ACL. In this example, the name is Nac. |
ip access list extended Nac |
permit or deny |
Allow or block traffic. This is a required field. |
|
protocol |
IP, TCP, UDP, ICMP, GRE and IGRP. TCP, UDP and ICMP use IP at the network layer. |
udp ip |
source |
This is the Source IP address. This is a required field. In the example, this is the IP range for your hosts. When <any> is used it indicates that any IP address can connect. |
192.168.34.0 any |
source mask |
Wildcard mask; 0 indicate positions that must match, 1s indicate don’t care positions (inverted mask). Required. |
0.0.0.255 |
destination |
Destination IP address. This is the IP address of the FortiNAC appliance that is used for isolating hosts who are not registered or who have failed a security policy scan. When <any> is used it indicates that the host can connect to any IP address. |
host 192.168.105.2 any |
operator destination port |
lt, gt, eq, neq (less than, greater than, equal, not equal) and a port number. In this example 4567 is the port number through which the Persistent Agent communicates with the FortiNAC appliance. This must remain available if you are using the Persistent Agent to scan your hosts. |
eq 4567 |
In the example 192.168.34.0/24 is the hosts IP range. The host IP 192.168.105.2 is the Isolation interface on the FortiNAC appliance. This is the default state of the all registered hosts. It allows the hosts to go to anywhere on the network except the Isolation interface.