Cisco ASA 1000V ASDM Configuration Guide, 6.7
Using the ACL Manager
Downloads: This chapterpdf (PDF - 143.0KB) The complete bookPDF (PDF - 11.09MB) | Feedback

Using the ACL Manager

Table Of Contents

Using the ACL Manager

Information About the ACL Manager

Guidelines and Limitations

Standard Access Control List

Extended Access Control List

Adding ACLs and ACEs  

Browse Source/Destination Address

Browse Source/Destination Port

Add TCP Service Group

Browse ICMP

Add ICMP Group

Browse Other

Add Protocol Group


Using the ACL Manager


Information About the ACL Manager

Access control lists (ACLs) are used to control network access or to specify traffic for many features to act upon. An ACL is made up of one or more access control entries (ACEs) in which you can specify the line number to insert the ACE, the source and destination addresses, and, depending upon the ACE type, the protocol, the ports (for TCP or UDP), or the ICMP type.

The ACL Manager dialog box lets you define ACLs to control the access of a specific host or network to another host/network, including the protocol or port that can be used.

You can configure ACLs (access control lists) to apply to user sessions. These are filters that permit or deny user access to specific networks, subnets, hosts, and web servers.

If you do not define any filters, all connections are permitted.

The ASA 1000V supports only an inbound ACL on an interface.

At the end of each ACL, there is an implicit, unwritten rule that denies all traffic that is not permitted. If traffic is not explicitly permitted by an access control entry (ACE), the ASA 1000V denies it. ACEs are referred to as rules in this section.

For information about adding ACLs and ACEs, see the "Adding ACLs and ACEs" section.

For information about finding specific ACLs and ACEs in your configuration, see the "Using the Find Function in the ACL Manager Pane" section.

Guidelines and Limitations

The following guidelines and limitations apply to creating an extended access list:

Enter the access list name in uppercase letters so that the name is easy to see in the configuration. You might want to name the access list for the interface (for example, INSIDE), or you can name it for the purpose for which it is created (for example, NO_NAT or VPN).

You can specify the source and destination ports only for the TCP or UDP protocols. For a list of permitted keywords and well-known port assignments, see the "TCP and UDP Ports" section. DNS, Discard, Echo, Ident, NTP, RPC, SUNRPC, and Talk each require one definition for TCP and one for UDP. TACACS+ requires one definition for port 49 on TCP.

Standard Access Control List

This pane provides summary information about standard ACLs, and lets you add or edit ACLs and ACEs.

Fields

Add—Lets you add a new ACL. When you highlight an existing ACL, it lets you add a new ACE for that ACL.

Edit—Opens the Edit ACE dialog box, in which you can change an existing access control list rule.

Delete—Removes an ACL or ACE. There is no confirmation or undo.

Move Up/Move Down—Changes the position of a rule in the ACL Manager table.

Cut—Removes the selection from the ACL Manager table and places it on the clipboard.

Copy—Places a copy of the selection on the clipboard.

Paste—Opens the Paste ACE dialog box, in which you can create a new ACL rule from an existing rule.

No—Indicates the order of evaluation for the rule. Implicit rules are not numbered, but are represented by a hyphen.

Address—Displays the IP address or URL of the application or service to which the ACE applies.

Action—Specifies whether this filter permits or denies traffic flow.

Description—Shows the description you typed when you added the rule. An implicit rule includes the following description: "Implicit outbound rule."

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Extended Access Control List

This pane provides summary information about extended ACLs, and lets you add or edit ACLs and ACEs.

Fields

Add—Lets you add a new ACL. When you highlight an existing ACL, it lets you add a new ACE for that ACL.

Edit—Opens the Edit ACE dialog box, in which you can change an existing access control list rule.

Delete—Removes an ACL or ACE. There is no confirmation or undo.

Move Up/Move Down—Changes the position of a rule in the ACL Manager table.

Cut—Removes the selection from the ACL Manager table and places it on the clipboard.

Copy—Places a copy of the selection on the clipboard.

Paste—Opens the Paste ACE dialog box, in which you can create a new ACL rule from an existing rule.

No—Indicates the order of evaluation for the rule. Implicit rules are not numbered, but are represented by a hyphen.

Enabled—Enables or disables a rule. Implicit rules cannot be disabled.

Source—Specifies the IP addresses (Host/Network) that are permitted or denied to send traffic to the IP addresses listed in the Destination column. In detail mode (see the Show Detail radio button), an address column might contain an interface name with the word any, such as inside: any. This means that any host on the inside interface is affected by the rule.

Destination—Specifies the IP addresses (Host/Network) that are permitted or denied to send traffic to the IP addresses listed in the Source column. An address column might contain an interface name with the word any, such as outside: any. This means that any host on the outside interface is affected by the rule. An address column might also contain IP addresses; for example 209.165.201.1-209.165.201.30. These addresses are translated addresses. When an inside host makes a connection to an outside host, the firewall maps the address of the inside host to an address from the pool. After a host creates an outbound connection, the firewall maintains this address mapping. The address mapping structure is called an xlate, and remains in memory for a period of time. During this time, outside hosts can initiate connections to the inside host using the translated address from the pool, if allowed by the ACL. Normally, outside-to-inside connections require a static translation so that the inside host always uses the same IP address.

Service—Names the service and protocol specified by the rule.

Action—Specifies whether this filter permits or denies traffic flow.

Logging—Shows the logging level and the interval in seconds between log messages (if you enable logging for the ACL). To set logging options, including enabling and disabling logging, right-click this column, and click Edit Log Option. The Log Options dialog box appears.

Time—Specifies the name of the time range to be applied in this rule.

Description—Shows the description you typed when you added the rule. An implicit rule includes the following description: "Implicit outbound rule."

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Adding ACLs and ACEs  

An access list (ACL) is made up of one or more access list entries (ACEs). First you create and name the ACL, then, you add ACEs to the ACL. An ACL with one entry is still considered a list, although you can add multiple ACEs to the list.


Step 1 Choose Configuration > Firewall > Advanced > ACL Manager.

Step 2 Select Add > Add ACL.

Adds an ACL for IPv4 traffic

Step 3 In the ACL name field, add a descriptive name for the ACL, and click OK.

Your newly created ACL appears in the window.

Step 4 Select the newly created ACL, click Add, and from the drop-down list, choose Add ACE.

Step 5 In the Action field of the Add ACE window, click one of the following radio buttons to choose the action

Permit—Permits access if the conditions are matched.

Deny—Denies access if the conditions are matched.

Step 6 In the Source field, enter a source from which traffic is permitted or denied. Possible sources are any source, IP address, Network Object Group, or Interface IP.

In the Destination field, enter a destination to which traffic is permitted or denied. Possible destinations are any destination, IP address, Network Object Group, or Interface IP.

any—Specifies that the source or destination host/network can be any type. For this value of the Type field, there are no additional fields in the Source or Destination area.

IP Address—Specifies the source or destination host or network IP address. Both IPv4 and IPv6 addresses are supported. With this selection, the IP Address, ellipsis button, and Netmask fields become available. Choose an IP address or host name from the drop-down list in the IP Address field or click the ellipsis (...) button to browse for an IP address or name. Select a network mask from the drop-down list.

Network Object Group—Specifies the name of the network object group. Choose a name from the drop-down list or click the ellipsis (...) button to browse for a network object group name.

Interface IP—Specifies the interface on which the host or network resides. Select an interface from the drop-down list. The default values are inside and outside. There is no browse function.

Step 7 Specify the service to which this ACE applies. You can type a known service into the window or click browse to select from a list of services.

Service groups let you identify multiple non-contiguous port numbers that you want to match. For example, if you want to filter HTTP, FTP, and port numbers 5, 8, and 9, define a service group that includes all these ports.Without service groups, you would have to create a separate rule for each port.

You can create service groups for TCP, UDP, TCP-UDP, ICMP, and other protocols. A service group with the TCP-UDP protocol contains services, ports, and ranges that might use either the TCP or UDP protocol.

Step 8 (Optional) Add text that provides a brief description of this rule. A description line can be up to 100 characters long, yet you can break a description into multiple lines.


Note If you add remarks with non-English characters on one platform (such as Windows) then try to remove them from another platform (such as Linux), you might not be able to edit or delete them because the original characters might not be correctly recognized. This limitation is due to an underlying platform dependency that encodes different language characters in different ways.


Step 9 (Optional) Check the Enable Logging check box to enable or disable logging or specify the use of the default logging settings. If logging is enabled, the Syslog Level and Log Interval fields become available.

a. If logging is enabled, choose a logging level to specify logging activity. The default is Informational. For information about logging levels, see the "Severity Levels" section.

b. Choose a logging interval to display the interval, in seconds, that is used to limit how many messages at this logging level can be sent.

Step 10 Set the source service (TCP, UDP, and TCP/UDP only).

Step 11 Set the logging interval to establish the number of seconds between log messages. The default is 300.

Step 12 Set the time range during which the rule is applied.

Step 13 Click Apply to save the ACL and ACE to the running configuration.

To see a condensed view of all ACLs in your configuration, click Collapse All below the ACL Manager window. To see a comprehensive view of all ACLs and ACEs in your configuration, click Expand All.

For information about finding specific ACLs and ACEs in your configuration, see the "Using the Find Function in the ACL Manager Pane" section.


Browse Source/Destination Address

ACL Manager > Add/Edit Extended Access List Rule > Source or Destination > Browse button

The Browse Source or Destination Address dialog box lets you select an object to use as a source or destination for this rule.

Fields

Type—Determines the type of object to use as the source or destination for this rule. Selections are IP Address Objects, IP Names, Network Object Groups, and All. The contents of the table following this field change, depending upon your selection.

Source/Destination Object Table—Displays the objects from which you can select a source or destination object. If you choose All in the type field, each category of object appears under its own heading. The table has the following headings:

Name—Displays the network name (which may be an IP address) for each object.

IP address—Displays the IP address of each object.

Netmask—Displays the network mask to use with each object.

Description—Displays the description entered in the Add/Edit/Paste Extended Access List Rule dialog box.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Browse Source/Destination Port

ACL Manager > Add/Edit Extended Access List Rule > Protocol and Service > Protocol: tcp or udp >Source or Destination Port > Group option > Browse button

The Browse Source or Destination Port dialog box lets you select a source or destination port for this protocol in this rule.

Fields

Add—Opens the Add TCP Service Group dialog box, in which you can configure a new TCP service group.

Find—Opens the Filter field.

Filter/Clear—Specifies a filter criterion that you can use to search for items in the Name list, thus displaying only those items that match that criterion. When you make an entry in the Filter field, the Filter button becomes active. Clicking the Filter button performs the search. After you perform the search, the Filter button is dimmed, and the Clear button becomes active. Clicking the Clear button clears the filter field and dims the Clear button.

Type—Determines the type of object to use as the source or destination for this rule. Selections are IP Address Objects, IP Names, Network Object Groups, and All. The contents of the table following this field change, depending upon your selection.

Name—Lists the predefined protocols and service groups for your selection.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Add TCP Service Group

ACL Manager > Add/Edit Extended Access List Rule > Protocol and Service > Protocol: tcp or udp >Source or Destination Port > Group option > Browse button > Browse Source or Destination Port > Add button

The Add TCP Service Group dialog box lets you configure a new a TCP service group or port to add to the browsable source or destination port list for this protocol in this rule. Selecting a member of either the Members not in Group or the Members in Group list activates the Add and Remove buttons.

Fields

Group Name—Specifies the name of the new TCP service group.

Description—(Optional) Provides a brief description of this group.

Members not in Group—Presents the option to select either a service/service group or a port number to add to the Members in Group list.

Service/Service Group—Selects the option to select the name of a TCP service or service group to add to the Members in Group list.

Port #—Selects the option to specify a range of port numbers to add to the Members in Group list.

Add—Moves a selected item from the Members not in Group list to the Members in Group list.

Remove—Moves a selected item from the Members in Group list to the Members not in Group list.

Members in Group—Lists the members already configured in this service group.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Browse ICMP

ACL Manager > Add/Edit Extended Access List Rule > Protocol and Service > Protocol: icmp >ICMP > Group option > Browse button

The Browse ICMP dialog box lets you select an ICMP group for this rule.

Fields

Add—Opens the Add ICMP Group dialog box, in which you can configure a new TCP service group.

Find—Opens the Filter field.

Filter/Clear—Specifies a filter criterion that you can use to search for items in the Name list, thus displaying only those items that match that criterion. When you make an entry in the Filter field, the Filter button becomes active. Clicking the Filter button performs the search. After you perform the search, the Filter button is dimmed, and the Clear button becomes active. Clicking the Clear button clears the filter field and dims the Clear button.

Type—Determines the type of object to use as the ICMP group for this rule. Selections are IP Address Objects, IP Names, Network Object Groups, and All. The contents of the table following this field change, depending upon your selection.

Name—Lists the predefined ICMP groups for your selection.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Add ICMP Group

ACL Manager > Add/Edit Extended Access List Rule > Protocol and Service > Protocol: icmp >ICMP > Group option > Browse button > Browse ICMP > Add button

The Add ICMP Group dialog box lets you configure a new a ICMP group by name or by number to add to the browsable ICMP list for this protocol in this rule. Choosing a member of either the Members not in Group or the Members in Group list activates the Add and Remove buttons.

Fields

Group Name—Specifies the name of the new TCP service group.

Description—(Optional) Provides a brief description of this group.

Members not in Group—Presents the option to select either an ICMP type/ICMP group or an ICMP number to add to the Members in Group list.

ICMP Type/ICMP Group—Selects the option to select the name of an ICMP group to add to the Members in Group list.

ICMP #—Selects the option to specify an ICMP member by number to add to the Members in Group list.

Add—Moves a selected item from the Members not in Group list to the Members in Group list.

Remove—Moves a selected item from the Members in Group list to the Members not in Group list.

Members in Group—Lists the members already configured in this service group.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Browse Other

ACL Manager > Add/Edit Extended Access List Rule > Protocol and Service > Protocol: other >Other > Group option > Browse button

The Browse Other dialog box lets you select a protocol group for this rule.

Fields

Add—Opens the Add Protocol Group dialog box, in which you can configure a new service group.

Find—Opens the Filter field.

Filter/Clear—Specifies a filter criterion that you can use to search for items in the Name list, thus displaying only those items that match that criterion. When you make an entry in the Filter field, the Filter button becomes active. Clicking the Filter button performs the search. After you perform the search, the Filter button is dimmed, and the Clear button becomes active. Clicking the Clear button clears the filter field and dims the Clear button.

Type—Determines the type of object to use as the protocol group for this rule. Selections are IP Address Objects, IP Names, Network Object Groups, and All. The contents of the table following this field change, depending upon your selection.

Name—Lists the predefined protocol groups for your selection.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Add Protocol Group

ACL Manager > Add/Edit Extended Access List Rule > Protocol and Service > Protocol: other > Group option > Browse button > Browse Other > Add button

The Add Protocol Group dialog box lets you configure a new a protocol group by name or by number to add to the browsable protocol list for this rule. Selecting a member of either the Members not in Group or the Members in Group list activates the Add and Remove buttons.

Fields

Group Name—Specifies the name of the new TCP service group.

Description—(Optional) Provides a brief description of this group.

Members not in Group—Presents the option to select either a protocol/protocol group or a protocol number to add to the Members in Group list.

Protocol/Protocol Group—Selects the option to select the name of a protocol or protocol group to add to the Members in Group list.

Protocol #—Selects the option to specify a protocol by number to add to the Members in Group list.

Add—Moves a selected item from the Members not in Group list to the Members in Group list.

Remove—Moves a selected item from the Members in Group list to the Members not in Group list.

Members in Group—Lists the members already configured in this service group.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System