Cisco ASA 5500 Series Configuration Guide using ASDM, 6.3
Using the ACL Manager
Downloads: This chapterpdf (PDF - 93.0KB) The complete bookPDF (PDF - 22.37MB) | Feedback

Using the ACL Manager

Table Of Contents

Using the ACL Manager

Standard ACL

Extended ACL  

Add/Edit/Paste ACE


Using the ACL Manager


The ACL Manager dialog box lets you define access control lists (ACLs) to control the access of a specific host or network to another host/network, including the protocol or port that can be used.

You can configure ACLs (access control lists) to apply to user sessions. These are filters that permit or deny user access to specific networks, subnets, hosts, and web servers.

If you do not define any filters, all connections are permitted.

The adaptive security appliance supports only an inbound ACL on an interface.

At the end of each ACL, there is an implicit, unwritten rule that denies all traffic that is not permitted. If traffic is not explicitly permitted by an access control entry (ACE), the adaptive security appliance denies it. ACEs are referred to as rules in this section.

If you add remarks with non-English characters on one platform (such as Windows) then try to remove them from another platform (such as Linux), you might not be able to edit or delete them because the original characters might not be correctly recognized. This limitation is due to an underlying platform dependency that encodes different language characters in different ways.

Standard ACL

This pane provides summary information about standard ACLs and lets you add or edit ACLs and ACEs. Standard access lists identify the destination IP addresses of OSPF routes and can be used in a route map for OSPF redistribution. Standard access lists cannot be applied to interfaces to control traffic.

Fields

Add—Lets you add a new ACL. When you highlight an existing ACL, it lets you add a new ACE for that ACL.

Add IPv6—Lets you add an ACL for traffic with IPv6 addresses.

Add ACE—Lets you add an access control entry (ACE), or access rule, specifying the source address, destination address, and service.

Edit—Opens the Edit ACE dialog box, in which you can change an existing access control list rule.

Delete—Removes an ACL or ACE. There is no confirmation or undo.

Move Up/Move Down—Changes the position of a rule in the ACL Manager table.

Cut—Removes the selection from the ACL Manager table and places it on the clipboard.

Copy—Places a copy of the selection on the clipboard.

Paste—Opens the Paste ACE dialog box, in which you can create a new ACL rule from an existing rule.

No—Indicates the order of evaluation for the rule. Implicit rules are not numbered, but are represented by a hyphen.

Address—Displays the IP address or URL of the application or service to which the ACE applies.

Action—Determines the action typpe of the new rule. Select either permit or deny.

Permit—Permits all matching traffic.

Deny—Denies all matching traffic.

Description—Shows the description you typed when you added the rule. An implicit rule includes the following description: "Implicit outbound rule."

More Options—Lets you specify the source service (TCP or UDP only), a time range, and logging interval.

Extended ACL  

This pane provides summary information about extended ACLs, and lets you add or edit ACLs and ACEs.

Fields

Add—Lets you add a new ACL. When you highlight an existing ACL, it lets you add a new ACE for that ACL.

Edit—Opens the Edit ACE dialog box, in which you can change an existing access control list rule.

Delete—Removes an ACL or ACE. There is no confirmation or undo.

Move Up/Move Down—Changes the position of a rule in the ACL Manager table.

Cut—Removes the selection from the ACL Manager table and places it on the clipboard.

Copy—Places a copy of the selection on the clipboard.

Paste—Opens the Paste ACE dialog box, in which you can create a new ACL rule from an existing rule.

No—Indicates the order of evaluation for the rule. Implicit rules are not numbered, but are represented by a hyphen.

Enabled—Enables or disables a rule. Implicit rules cannot be disabled.

Source—Specifies the IP addresses (Host/Network) that are permitted or denied to send traffic to the IP addresses listed in the Destination column. In detail mode (see the Show Detail radio button), an address column might contain an interface name with the word any, such as inside: any. This means that any host on the inside interface is affected by the rule.

Destination—Specifies the IP addresses (Host/Network) that are permitted or denied to send traffic to the IP addresses listed in the Source column. An address column might contain an interface name with the word any, such as outside: any. This means that any host on the outside interface is affected by the rule. An address column might also contain IP addresses; for example 209.165.201.1-209.165.201.30. These addresses are translated addresses. When an inside host makes a connection to an outside host, the firewall maps the address of the inside host to an address from the pool. After a host creates an outbound connection, the firewall maintains this address mapping. The address mapping structure is called an xlate, and remains in memory for a period of time. During this time, outside hosts can initiate connections to the inside host using the translated address from the pool, if allowed by the ACL. Normally, outside-to-inside connections require a static translation so that the inside host always uses the same IP address.

Service—Names the service and protocol specified by the rule.

Action—Specifies whether this filter permits or denies traffic flow.

Logging—Shows the logging level and the interval in seconds between log messages (if you enable logging for the ACL). To set logging options, including enabling and disabling logging, right-click this column, and click Edit Log Option. The Log Options dialog box appears.

Time—Specifies the name of the time range to be applied in this rule.

Description—Shows the description you typed when you added the rule. An implicit rule includes the following description: "Implicit outbound rule."

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit/Paste ACE

The Add/Edit/Paste ACE dialog box lets you create a new extended access list rule, or modify an existing rule. The Paste option becomes available only when you cut or copy a rule.

Fields

Action—Determines the action type of the new rule. Select either permit or deny.

Permit—Permits all matching traffic.

Deny—Denies all matching traffic.

Source/Destination—Specifies the source or destination type and, depending on that type, the other relevant parameters describing the source or destination host/network IP Address. Possible values are: any, IP address, Network Object Group, and Interface IP. The availability of subsequent fields depends upon the value of the Type field:

any—Specifies that the source or destination host/network can be any type. For this value of the Type field, there are no additional fields in the Source or Destination area.

IP Address—Specifies the source or destination host or network IP address. Both IPv4 and IPv6 addresses are supported. With this selection, the IP Address, ellipsis button, and Netmask fields become available. Choose an IP address or host name from the drop-down list in the IP Address field or click the ellipsis (...) button to browse for an IP address or name. Select a network mask from the drop-down list.

Network Object Group—Specifies the name of the network object group. Choose a name from the drop-down list or click the ellipsis (...) button to browse for a network object group name.

Interface IP—Specifies the interface on which the host or network resides. Select an interface from the drop-down list. The default values are inside and outside. There is no browse function.

Protocol and Service—Specifies the protocol and service to which this ACE filter applies. Service groups let you identify multiple non-contiguous port numbers that you want the ACL to match. For example, if you want to filter HTTP, FTP, and port numbers 5, 8, and 9, define a service group that includes all these ports. Without service groups, you would have to create a separate rule for each port.

You can create service groups for TCP, UDP, TCP-UDP, ICMP, and other protocols. A service group with the TCP-UDP protocol contains services, ports, and ranges that might use either the TCP or UDP protocol.

Protocol—Selects the protocol to which this rule applies. Possible values are ip, tcp, udp, icmp, and other. The remaining available fields in the Protocol and Service area depend upon the protocol you select. The next few bullets describe the consequences of each of these selections:

Protocol: TCP and UDP—Selects the TCP/UDP protocol for the rule. The Source Port and Destination Port areas allow you to specify the ports that the ACL uses to match packets.

Source Port/Destination Port—(Available only for TCP and UDP protocols) Specifies an operator and a port number, a range of ports, or a well-known service name from a list of services, such as HTTP or FTP. The operator list specifies how the ACL matches the port. Choose one of the following operators: = (equals the port number), not = (does not equal the port number), > (greater than the port number), < (less than the port number), range (equal to one of the port numbers in the range).

Group—(Available only for TCP and UDP protocols) Selects a source port service group. The Browse (...) button opens the Browse Source Port or Browse Destination Port dialog box.

Protocol: ICMP—Lets you choose an ICMP type or ICMP group from a preconfigured list or browse (...) for an ICMP group. The Browse button opens the Browse ICMP dialog box.

Protocol: IP—Specifies the IP protocol for the rule in the IP protocol box. No other fields are available when you make this selection.

Protocol: Other—Lets you choose a protocol from a drop-down list, choose a protocol group from a drop-down list, or browse for a protocol group. The Browse (...) button opens the Browse Other dialog box.

Rule Flow Diagram—(Display only) Provides a graphical representation of the configured rule flow. This same diagram appears on the ACL Manager dialog box unless you explicitly close that display.

Options—Sets optional features for this rule, including logging parameters, time ranges, and description.

Logging—Enables or disables logging or specifies the use of the default logging settings. If logging is enabled, the Syslog Level and Log Interval fields become available.

Syslog Level—Selects the level of logging activity. The default is Informational.

Log Interval—Specifies the interval for permit and deny logging. The default is 300 seconds. The range is 1 through 6000 seconds.

Time Range—Selects the name of the time range to use with this rule. The default is (any). Click the Browse (...) button to open the Browse Time Range dialog box to select or add a time range.

Description—(Optional) Provides a brief description of this rule. A description line can be up to 100 characters long, but you can break a description into multiple lines.