This command creates
and configures an access rule.
Privilege:
Security Administrator,
Administrator
Syntax
access-rule { no-ruledef-matches { downlink | uplink } action { deny [ charging-action charging_action ] | permit [ bypass-nat | nat-realm nat_realm [ fw-and-nat-action name ] ] } | priority priority { [ dynamic-only | static-and-dynamic ] access-ruledef ruledef_name { deny [ charging-action charging_action ] | permit [ [ bypass-nat | nat-realm nat_realm [ fw-and-nat-action name ] ] | trigger open-port { port_number | range start_port to end_port } direction { both | reverse | same } ] } } }
default access-rule
no-ruledef-matches { downlink | uplink } action
no access-rule priority priority
default
Configures the default
setting.
Default: Uplink direction: permit;
Downlink direction: deny
no
Removes the access
rule specified by the priority.
no-ruledef-matches
Configures action on
packets with no ruledef match.
downlink
Specifies to act on
downlink packets with no ruledef match.
uplink
Specifies to act on
uplink packets with no ruledef match.
action
Specifies action to
take on downlink/uplink packets with no ruledef match.
deny
Specifies to deny packets.
permit
Specifies to permit
packets and allow the creation of data flows.
charging-action charging_action
Specifies the charging
action. Optionally, a charging action can be configured for deny action.
If a packet matches the deny rule, action is taken as configured
in the charging action. If a charging action is specified, the content-ID
and billing-action configured in the charging action are used. Also,
the flow may be terminated (instead of just discarding the packet),
if so configured in the specified charging action.
charging_action must
be an alphanumeric string of 1 through 63 characters.
bypass-nat
IMPORTANT:
In 9.0 and later releases,
this keyword is NAT license dependent.
Specifies to bypass
NAT.
nat-realm nat_realm
IMPORTANT:
In 9.0 and later releases,
this keyword is NAT license dependent.
Specifies the NAT realm
to be used to perform NAT on subscriber packets matching the access
ruledef. If the NAT realm is not specified, NAT will be bypassed.
That is, NAT will not be performed on subscriber packets that are
matching a ruledef with no NAT realm name configured in it.
nat_realm must
be an alphanumeric string of 1 through 31 characters.
priority priority
Specifies priority
of an access ruledef in the Firewall-and-NAT policy.
priority must
be an integer from 1 through 65535 that is unique for each access
ruledef in the Firewall-and-NAT policy.
[ dynamic-only | static-and-dynamic ] access-ruledef ruledef_name
Specifies the access
ruledef name. Optionally, the ruledef type can also be specified.
- dynamic-only:
Dynamic Ruledef—Predefined ruledef that can be enabled/disabled
by the policy server, and is disabled by default.
- static-and-dynamic:
Static and Dynamic Ruledef—Predefined ruledef that can
be enabled/disabled by the policy server, and is enabled
by default.
- access-ruledef ruledef_name:
Specifies the access ruledef name. ruledef_name must
be an alphanumeric string of 1 through 63 characters.
trigger open-port { port_number | range start_port to end_port } direction { both | reverse | same }
IMPORTANT:
In 9.0 and later releases,
this keyword is Stateful Firewall license dependent.
Optionally a port trigger
can be specified to be used for this rule to limit the range of auxiliary
data connections (a single or range of port numbers) for protocols
having control and data connections (like FTP). The trigger port
will be the destination port of an association which matches a rule.
- port_number:
Specifies the auxiliary port number to open for traffic, and must
be an integer from 1 through 65535.
- range start_port to end_port:
Specifies the range of port numbers to open for subscriber traffic.
- start_port must
be an integer from 1 through 65535.
- end_port must
be an integer from 1 through 65535, and must be greater than start_port.
- direction { both | reverse | same }:
Specifies the direction from which the auxiliary connection is initiated.
This direction can be same as the direction of control connection,
or the reverse of the control connection direction, or in both directions.
- both: Provides
the trigger to open port for traffic in either direction of the
control connection.
- reverse:
Provides the trigger to open port for traffic in the reverse direction
of the control connection (from where the connection is initiated).
- same: Provides
the trigger to open port for traffic in the same direction of the
control connection (from where the connection is initiated).
Usage:
Use this command to
add access ruledefs to the Firewall-and-NAT policy and configure the
priority and actions for rule matching.
The policy specifies
the rules to be applied on calls. The ruledefs in the policy have priorities,
based on which priority matching is done.
For Stateful Firewall,
the port trigger configuration is optional, and can be configured
only if a rule action is permit. When a rule is matched and the
rule action is permit, if the trigger is configured, the appropriate
check is made. The trigger port will be the destination port of
an association that matches the rule. Multiple triggers can be defined
for the same port number to permit multiple auxiliary ports for
subscriber traffic.
When a rule is matched
and if the rule action is deny, the action taken depends on what
is configured in the specified charging action. If the flow exists,
flow statistics are updated and action is taken as configured in
the charging action:
- If the billing action
is configured as Event Data Record (EDR) enabled, an EDR is generated.
- If the content ID is
configured, UDR information is updated.
- If the flow action is
configured as “terminate-flow”, the flow is terminated
instead of just discarding the packet.
If the billing action,
content ID, and flow action are not configured, no action is taken
on the dropped packets.
IMPORTANT:
For Stateful Firewall,
only the terminate-flow action is applicable if configured in the specified
charging action.
Allowing/dropping
of packets is determined in the following sequence:
- Check is done to see
if the packet matches any pinholes. If yes, no rule matching is
done and the packet is allowed.
- Access ruledef matching
is done. If a rule matches, the packet is allowed or dropped as per
the access-rule
priority configuration.
- If no access ruledef
matches, the packet is allowed or dropped as per the access-rule no-ruledef-matches configuration.
For a packet dropped
due to access ruledef match or no match (first packet of a flow),
the charging action applied is the one configured in the access-rule priority or
the access-rule
no-ruledef-matches command respectively.
For action on packets
dropped due to any error condition after data session is created,
the charging action must be configured in the flow any-error charging-action command
in the ACS Rulebase Configuration Mode.
The GGSN can dynamically
activate or deactivate dynamic ruledefs for a subscriber based on
the rule name received from a policy server. At rule match, if a
rule in the policy is a dynamic rule, and if the rule is enabled
for the particular subscriber, rule matching is done for the rule.
If the rule is disabled for the particular subscriber, rule matching
is not done for the rule.
Example:
For Stateful Firewall,
the following command assigns a priority of
10 to the
access ruledef
test_rule,
adds it to the policy, and permits port trigger to be used for the
rule to open ports in the range of
1000 to
2000 in either
direction of the control connection:
access-rule priority
1 access-ruledef test_rule permit trigger open-port range
1000 to 2000 direction both