Cisco Systems CL-28826-01 Security Camera User Manual


  Open as PDF
of 2616
 
46-2
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 46 Configuring Bridging Policies on Firewall Devices
About Bridging on Firewall Devices
To configure a transparent firewall, use the following policies. When configuring an ASA/PIX/FWSM
device in multiple-context mode, configure these policies on each transparent security context.
Firewall > Access Rules—Access rules control layer 3 and higher traffic using extended access
control lists. In routed mode, some types of traffic cannot pass through the security appliance even
if you allow it in an access list. For example, you can establish routing protocol adjacencies through
a transparent firewall; you can allow OSPF, RIP, EIGRP, or BGP traffic through based on access
rules. Likewise, protocols like HSRP or VRRP can pass through the security appliance. However,
the transparent-mode security appliance does not pass CDP packets.
For features that are not directly supported on the transparent firewall, you can allow traffic to pass
through so that upstream and downstream routers can provide those functions. For example, by
using access rules, you can allow DHCP traffic to pass (instead of the unsupported DHCP relay
feature), or multicast traffic such as that created by IP/TV.
For more information, see Understanding Access Rules, page 16-1 and Configuring Access Rules,
page 16-7.
Firewall > Transparent Rules—Transparent rules control non-IP layer 2 traffic using Ethertype
access control lists. For example, you can configure rules to allow AppleTalk, IPX, BPDUs, and
MPLS to pass through the device. For more information, see Configuring Transparent Firewall
Rules, page 22-1.
Platform > Bridging > ARP Table, ARP Inspection and IPv6 Neighbor Cache—Use these
policies to control the types of ARP and IPv6 traffic allowed through the bridge. If desired, you can
configure static ARP and IPv6 neighbor cache entries and drop any traffic not defined by those static
rules. Enable ARP inspection so that if a mismatch between the MAC address, the IP address, or the
interface occurs, the security appliance drops the packet. This helps prevent ARP spoofing. For more
information, see ARP Table Page, page 46-3 and ARP Inspection Page, page 46-5.
Note The ARP Table and IPv6 Neighbor Cache are the only bridging policies available for
non-transparent ASA/PIX/FWSM devices.
Platform > Bridging > MAC Address Table and MAC Learning—Use these policies to configure
static MAC-IP address mappings and to enable or disable MAC learning. MAC learning is enabled
by default, which allows the appliance to add MAC-IP address mappings as traffic passes through
the interface. If you want to prevent all traffic except from static entries, you can disable MAC
learning. For more information, see MAC Address Table Page, page 46-7 and MAC Learning Page,
page 46-8.
Platform > Bridging > Management IP and Platform > Bridging > Management IPv6—Use
these policies to configure a management IP address that Security Manager can use to communicate
with the device.
Note The Management IP and Management IPv6 pages are not available on Catalyst 6500 service
modules (the Firewall Services Module and the Adaptive Security Appliance Service
Module).
If you change the management IP address, you also need to update the device properties for the
device or security context. Follow these steps:
Change the management IP address, save and submit your changes.
Deploy your changes to the device.