Cisco Router and Security Device Manager 2.5 User Guide
Editing Access Lists
Downloads: This chapterpdf (PDF - 434.0KB) The complete bookPDF (PDF - 7.45MB) | Feedback

ACL Editor

Table Of Contents

ACL Editor

Useful Procedures for Access Rules and Firewalls

Rules Windows                

Add or Edit a Rule

Associate with an Interface

Add a Standard Rule Entry

Add an Extended Rule Entry

Select a Rule


ACL Editor


Rules define how the router will respond to a particular kind of traffic. Using Cisco SDM, you can create access rules that cause the router to block certain types of traffic while permitting other types, NAT rules that define the traffic that is to receive address translation, and IPSec rules that specify which traffic is to be encrypted. Cisco SDM also provides default rules that are used in guided configurations, and that you can examine and use when you create your own access rules. It also allows you to view rules that were not created using Cisco SDM, called external rules, and rules with syntax that Cisco SDM does not support, called unsupported rules.

Use the Rules screen to view a summary of the rules in the router's configuration and to navigate to other windows to create, edit, or delete rules.

Category

A type of rule. One of the following:

Access Rules

Rules that govern the traffic that can enter and leave the network. These rules are used by router interfaces, and by VTY lines that let users log on to the router.

NAT Rules

Rules that determine how private IP addresses are translated into valid Internet IP addresses.

IPSec Rules

Rules that determine which traffic will be encrypted on secure connections.

NAC Rules

Rules that specify the IP addresses to be admitted to the network, or blocked from the network.

Firewall Rules

Rules that can specify source and destination addresses, type of traffic, and whether the traffic should be permitted or denied.

QoS Rules

Rules that specify traffic that should belong to the QoS Class that the rule is associated with.

Unsupported Rules

Rules that have not been created using Cisco SDM, and that Cisco SDM does not support. These rules are read only, and cannot be modified using Cisco SDM.

Externally Defined Rules

Rules that have not been created using Cisco SDM, but that Cisco SDM does support. These rules may not be associated with any interface.

Cisco SDM Default Rules

These rules are predefined rules that are used by Cisco SDM wizards and that you can apply in the Additional Tasks>ACL Editor windows.


No. of Rules

The number of rules of this type.

Description

A description of the rule if one has been entered.

To configure rules:

Click the category of rule in the rule tree to display the window for that type of rule. Create and edit rules from that window.

The help topic for these windows contains general procedures that you may find helpful. Useful Procedures for Access Rules and Firewalls contains step by step procedures for other tasks.

Useful Procedures for Access Rules and Firewalls

This section contains procedures that you may find useful.

How Do I View Activity on My Firewall?

How Do I Configure a Firewall on an Unsupported Interface?

How Do I Configure a Firewall After I Have Configured a VPN?

How Do I Permit Specific Traffic Through a DMZ Interface?

How Do I Modify an Existing Firewall to Permit Traffic from a New Network or Host?

How Do I Configure NAT Passthrough for a Firewall?

How Do I Permit Traffic Through a Firewall to My Easy VPN Concentrator?

How Do I Associate a Rule with an Interface?

How Do I Disassociate an Access Rule from an Interface

How Do I Delete a Rule That Is Associated with an Interface?

How Do I Create an Access Rule for a Java List?

Rules Windows                

These windows let you examine, create, edit, and delete rules.

Access Rules window—Access rules most commonly define the traffic that you want to permit or deny entry to your LAN or exit from your LAN, but they can be used for other purposes as well.

NAT Rules window—NAT rules are used to specify a set of addresses to translate.

IPSec Rules window—IPSec rules are extended rules used in IPSec policies to specify which traffic will be encrypted for VPN connections.

NAC Rules window—Rules that specify the IP addresses to be admitted to the network, or blocked from the network.

Firewall Rules window—Rules that can specify source and destination addresses, type of traffic, and whether the traffic should be permitted or denied.

QoS Rules window—Rules that specify traffic that should belong to the QoS Class that the rule is associated with.

Unsupported Rules window—Unsupported rules contain syntax or keywords that Cisco SDM does not support. Unsupported rules may affect the way the router operates, but are marked as read-only by Cisco SDM.

Externally Defined Rules window—Externally defined rules are those that Cisco SDM was not used to create.

Cisco SDM Default Rules window—Cisco SDM default rules are pre-defined access rules. They are used in guided first-time configurations, and you can use them in configurations that you create.

NAC Rules window. NAC rules are used in the NAC exception policy to specify hosts that are to be exempted from the NAC validation process. They are also used to define the hosts or networks for admission control.

The upper portion of the screen lists the access rules that have been configured on this router. This list does not contain Cisco SDM default rules. To view Cisco SDM default rules, click the SDM Default Rules branch of the Rules tree.

The lower portion of the window lists the rule entries associated with the selected rule. A rule entry consists of criteria that incoming or outgoing traffic is compared against, and the action to take on traffic matching the criteria. If traffic does not match the criteria of any of the entries in this box, it is dropped.

First column

This column may contain icons that indicate the status of a rule.

If the rule is read only, the read-only icon will appear in this column.


Name/Number

The name or the number of the access rule.

The numbers 1 through 99 are used to identify standard access lists. The numbers 100 through 199 are used to identify extended access lists. Names, which can contain alphabetic characters, allow you to extend the range of standard access lists beyond 99, and extended access lists beyond 199.

Used By

The name of the interface or VTY numbers to which this rule has been applied.

Type

The type of rule, either standard or extended.

Standard rules compare a packet's source IP address against its IP address criteria to determine a match. The rule's IP address criteria can be a single IP address, or portions of an IP address, defined by a wildcard mask.

Extended rules can examine a greater variety of packet fields to determine a match. Extended rules can examine both the packet's source and destination IP addresses, the protocol type, the source and destination ports, and other packet fields.

Access rules can be either standard rules or extended rules. IPSec rules have to extended rules because they must be able to specify a service type. Externally defined and unsupported rules may be either standard or extended.

Description

A description of the rule, if one has been entered.

First Column (Rule Entry Area)

Permit traffic.

Deny traffic.


Action

The action to take when a packet matching the criteria in this entry arrives on the interface. Either Permit or Deny:

Permit—Allow traffic matching the criteria in this row.

Deny—Do not allow traffic matching the criteria in this row.

Click Meanings of the Permit and Deny Keywords to learn more about the action of permit and the action of deny in the context of a specific type of rule.

Source

The source IP address criteria that the traffic must match. This column may contain:

An IP address and wildcard mask. The IP address specifies a network, and the wildcard mask specifies how much of the rule's IP address the IP address in the packet must match.

The keyword any. Any indicates that the source IP address can be any IP address

A host name.

Destination

For extended rules, the destination IP address criteria that the traffic must match. The address may be for a network, or a specific host. This column may contain:

An IP address and wildcard mask. The IP address specifies a network, and the wildcard mask specifies how much of the rule's IP address the IP address in the packet must match.

The keyword any. Any indicates that the source IP address can be any IP address

A host name.

Service

For extended rules, the service specifies the type of traffic that packets matching the rule must contain. This is shown by displaying the service, such as echo-reply, followed by the protocol, such as ICMP. A rule permitting or denying multiple services between the same end points must contain an entry for each service.

Attributes

This field can contain other information about this entry, such as whether logging has been enabled.

Description

A short description of the entry.

What do you want to do?

If you want to:
Do this:

Add a rule.

Click the Add button and create the rule in the windows displayed.

Edit a rule, or edit a rule entry.

Select the access rule and click Edit. Then edit the rule in the Edit rule window displayed.

Associate a rule with an interface.

See How Do I Associate a Rule with an Interface?

Delete a rule that has not been associated with an interface.

Select the Access rule, and click Delete.

Delete a rule that has been associated with an interface

Cisco SDM does not permit you to delete a rule that has been associated with an interface. In order to delete the rule, you must first disassociate it from the interface. See How Do I Delete a Rule That Is Associated with an Interface?

What I want to do is not described here.

The following link contains procedures that you may want to consult: Useful Procedures for Access Rules and Firewalls.


Add or Edit a Rule

This window lets you add or edit a rule you have selected in the Rules window. You can rename or renumber the rule, add, change, reorder, or delete rule entries, and add or change the description of the rule.

Name/Number

Add or edit the name or number of the rule.

Standard rules must be numbered in the range 1-99, or 1300-1999.

Extended rules must be numbered in the range 100-199 or 2000-2699.

Names, which can contain alphabetic characters, allow you to associate a meaningful label to the access rule.

Type

Select the type of rule you are adding. Standard rules let you have the router examine the source host or network in the packet. Extended rules let you have the router examine the source host or network, the destination host or network, and the type of traffic that the packet contains.

Description

You can provide a description of the rule in this field. The description must be less than 100 characters long.

Rule Entry List

This list shows the entries that make up the rule. You can add, edit, and delete entries. You can also reorder them to change the order in which they are evaluated.

Observe the following guidelines when creating rule entries:

There must be at least one permit statement in the list; otherwise, all traffic will be denied.

A permit all or deny all entry in the list must be the last entry.

Standard entries and extended entries cannot be mixed in the same rule.

No duplicate entries can exist in the same rule.

Clone

Click this button to use the selected entry as a template for a new entry. This feature can save you time, and help reduce errors. For example, if you want to create a number of extended rule entries with the same source and destination, but different protocols or ports, you could create the first one using the Add button. After creating the first entry, you could copy it using Clone, and change the protocol field or port field to create a new entry.

Interface Association

Click the Associate button to apply the rule to an interface.


Note The Associate button is enabled only if you are adding a rule from the Access Rules window.


What do you want to do?

If you want to:
Do this:

Add or edit a rule entry.

Click Add, and create the entry in the window displayed. Or click Edit, and change the entry in the window displayed.

Add a rule entry using an existing entry as a template.

Select the entry you want to use as a template, and click Clone. Then create the entry in the dialog box displayed.

The dialog box displays the contents of the entry you selected so that you can edit it to create a new entry.

Reorder rule entries to make sure that the router evaluates particular entries.

Select the rule entry, and click the Move Up or the Move Down button to move the entry where you want it.

Associate a rule with an interface.

Click Associate and select the interface and direction in the Associate with an Interface window.

If the Associate button is not enabled, you can associate the rule with an interface by double-clicking the interface in the Interfaces and Connections window and using the Associate tab.

Delete a rule entry.

Select the rule entry, and click Delete. Then confirm deletion in the Warning window displayed.

Learn more about rules.

Explore the resources on Cisco.com. The following link contains information about IP access lists:

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml

What I want to do is not described here.

The following link contains procedures that you may want to consult: Useful Procedures for Access Rules and Firewalls


Associate with an Interface

You can use this window to associate a rule you have created from the Access Rules window with an interface and to specify whether it applies to outbound traffic or inbound traffic.

Select an Interface

Select the interface to which you want this rule to apply.

Specify a Direction

If you want the router to check packets inbound to the interface, click Inbound. The router checks for a match with the rule before routing it; the router accepts or drops the packet based on whether the rule states permit or deny. If you want the router to forward the packet to the outbound interface before comparing it to the entries in the access rule, click Outbound.

If Another Rule is Already Associated with the Interface

If an information box appears that tells that another Access Rule is associated with the interface and direction you specified, you can either cancel the operation, or you can continue, by appending the rule entries to the rule that is already applied to the interface, or by disassociating the rule with the interface and associating the new rule.

What do you want to do?

If you want to:
Do this:

Cancel the operation and preserve the association between the interface and the existing rule.

Click No. The association between the existing rule and the interface is preserved, and the rule that you created in the Add a Rule window is saved.

You can examine the existing rule and the new rule and decide whether you want to replace the existing rule or to merge the entries of the new rule with the existing rule.

Continue, and merge the entries of the rule you created with the entries of the existing rule.

Click Yes. Then, when the window appears that asks whether you want to merge or replace the existing rule, click Merge.

The entries you created for the new rule are appended after the last entry of the existing rule.


Note If the rule you want to merge is not compatible with the existing rule, you will be allowed only to replace the existing rule.


Continue, and replace the rule existing rule with the rule you created.

Click Yes. Then, when the window appears that asks you if you want to merge or replace the existing rule, click Replace.

The rule you are replacing is not erased. It is just disassociated with the interface and direction.


Add a Standard Rule Entry

A standard rule entry allows you to permit or deny traffic that came from a specified source. The source can be a network or a host within a specific network. You can create a single rule entry in this window, but you can return to this window to create additional entries for a rule if you need to.


Note Any traffic that does not match the criteria in one of the rule entries you create is implicitly denied. To ensure that traffic you do not intend to deny is permitted, you must append explicit permit entries to the that rule you are configuring.


Action

Select the action you want the router to take when a packet matches the criteria in the rule entry. The choices are Permit and Deny. What Permit and Deny do depends on the type of rule in which they are used. In Cisco SDM, standard rule entries can be used in access rules, NAT rules, and in access lists associated with route maps. Click Meanings of the Permit and Deny Keywords to learn more about the action of Permit and the action of Deny in the context of a specific type of rule.

Source Host/Network

The source IP address criteria that the traffic must match. The fields in this area of the window change, based on the value of the Type field.

Type

Select one of the following:

A Network. Select if you want the action to apply to all the IP addresses in a network.

A Host Name or IP Address. Select if you want the action to apply to a specificc host or IP address.

Any IP address. Select if you want the action to apply to any IP address.

IP Address

If you selected A Network or if you selected A Host Name or IP address, enter the IP address in this field. If the address you enter is a network address, enter a wildcard mask to specify the parts of the network address that must be matched.

Mask

If you selected A Network or if you selected A Host Name or IP address, either select the wildcard mask from this list, or enter a custom wildcard mask. A binary 0 in a wildcard mask means that the corresponding bit in a packet's IP address must match exactly. A binary 1 in a wildcard mask means that the corresponding bit in the packet's IP address need not match.

Hostname/IP

If you selected A Host Name or IP address in the Type field, enter the name oro the IP address of the host. If you enter a hostname, the router must be configured to use a DNS server.

Description

You can enter a short description of the entry in this field. The description must be fewer than 100 characters long.

Log Matches Against This Entry

If you have specified syslog in System Properties, you can check this box; matches will be recorded in the system log.

Add an Extended Rule Entry

An extended rule entry allows you to permit or deny traffic based on its source and destination and on the protocol and service specified in the packet.


Note Any traffic that does not match the criteria in one of the rule entries you create is implicitly denied. To ensure that traffic you do not intend to deny is permitted, you must append explicit permit entries to the rule that you are configuring.


Action

Select the action you want the router to take when a packet matches the criteria in the rule entry. The choices are Permit and Deny. If you are creating an entry for an IPSec rule, the choices are protect the traffic and don't protect the traffic.

What Permit and Deny do depends on the type of rule in which they are used. In Cisco SDM, extended rule entries can be used in access rules, NAT rules, IPSec rules, and access lists associated with route maps. Click Meanings of the Permit and Deny Keywords to learn more about the action of Permit and the action of Deny in the context of a specific type of rule.

Source Host/Network

The source IP address criteria that the traffic must match. The fields in this area of the window change, based on the value of the Type field.

Type

Select one of the following:

A specific IP address. This can be a network address, or the address of a specific host.

A host name.

Any IP address.

IP Address

If you selected A specific IP address, enter the IP address in this field. If the address you enter is a network address, enter a wildcard mask to specify the parts of the network address that must be matched.

Mask

If you selected A specific IP address, either select the wildcard mask from this list, or enter a custom wildcard mask. A binary 0 in a wildcard mask means that the corresponding bit in the packet's IP address must match exactly. A binary 1 in a wildcard mask means that the corresponding bit in the packet's IP address need not match.

Hostname

If you selected A host name in the Type field, enter the name of the host.

Destination Host/Network

The source IP address criteria that the traffic must match. The fields in this area of the window change, based on the value of the Type field.

Type

Select one of the following:

A specific IP address. This can be a network address or the address of a specific host.

A host name.

Any IP address.

Mask

If you selected A specific IP address, either select the wildcard mask from this list or enter a custom wildcard mask. A binary 0 in a wildcard mask means that the corresponding bit in the packet's IP address must match exactly. A binary 1 in a wildcard mask means that the corresponding bit in the packet's IP address need not match.

Hostname

If you selected A host name in the Type field, enter the name of the host.

Description

You can enter a short description of the entry in this field. The description must be fewer than 100 characters long.

Protocol and Service

Select the protocol and service, if applicable, that you want the entry to apply to. The information that you provide differs from protocol to protocol. Click the protocol to see what information you need to provide.

Source Port

Available when either TCP or UDP is selected. Setting this field will cause the router to filter on the source port in a packet. It is rarely necessary to set a source port value for a TCP connection. If you are not sure you need to use this field, leave it set to = any.

Destination Port

Available when either TCP or UDP is selected. Setting this field will cause the router to filter on the destination port in a packet.

If you select this protocol:
You can specify the following in the Source Port and Destination Port fields:

TCP and UDP

Specify the source and destination port by name or number. If you do not remember the name or number, click the ... button and select the value you want from the Service window. This field accepts protocol numbers from 0 through 65535.

=. The rule entry applies to the value that you enter in the field to the right.

!=. The rule entry applies to any value except the one that you enter in the field to the right.

<. The rule entry applies to all port numbers lower than the number you enter.

>. The rule entry applies to all port numbers higher than the number you enter.

range. The entry applies to the range of port numbers that you specify in the fields to the right.

ICMP

Specify any ICMP type, or specify a type by name or number. If you do not remember the name or number, click the ... button, and select the value you want. This field accepts protocol numbers from 0 through 255.

IP

Specify any IP protocol, or specify a protocol by name or number. If you do not remember the name or number, click the ... button, and select the value you want. This field accepts protocol numbers from 0 through 255.


See Services and Ports to see a table containing port names and numbers available in Cisco SDM.

Log Matches Against This Entry

If you have configured logging for firewall messages, you can check this box and matches will be recorded in the log file sent to the syslog server. For more information refer to this link: Firewall Log.

Select a Rule

Use this window to select a rule to use.

Rule Category

Select the rule category that you want to select from. The rules in the category you select will appear in the box below the list. If no rules appear in the box, no rules of that category have been defined.

Name/Number

The name or number of the rule.

Used By

How the rule is being used. For example, if the rule has been associated with an interface, the name of the interface. If the rule is being used in an IPSec policy, the name of the policy. Or, if the rule has been used by NAT, this column contains the value NAT.

Description

A description of the rule.

Preview

This area of the screen displays the entries of the selected rule.

Action

Either Permit or Deny. See Meanings of the Permit and Deny Keywords to learn more about the action of Permit and the action of Deny in the context of a specific type of rule.

Source

The source IP address criteria that the traffic must match. This column may contain the following:

An IP address and wildcard mask. The IP address specifies a network, and the wildcard mask specifies how much of the rule's IP address the IP address in the packet must match.

The keyword any. Any indicates that the source IP address can be any IP address

A host name.

Destination

For extended rules, the destination IP address criteria that the traffic must match. The address may be for a network, or a specific host. This column may contain the following:

An IP address and wildcard mask. The IP address specifies a network, and the wildcard mask specifies how much of the rule's IP address the IP address in the packet must match.

The keyword any. Any indicates that the source IP address can be any IP address

A host name.

Service

For extended rules, the service specifies the type of traffic that packets matching the rule must contain. This is shown by displaying the service, such as echo-reply, followed by the protocol, such as ICMP. A rule permitting or denying multiple services between the same endpoints must contain an entry for each service.