Filter
Top Products
12-5
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 12 Introduction to Firewall Services
Overview of Firewall Services
• ACLs named <number>_<number> are not valid on IOS devices. Security Manager strips off the
suffix prior to deployment. This also means that you cannot assign an IOS device more than one
ACL object with the same numbered prefix. However, named ACLs that have a numbered suffix are
allowed, for example, ACLname_1.
• Numbered ACLs must use the correct number ranges for IOS devices. Standard ACLs must be in the
range 1-99 or 1300-1999. Extended ACLs must be in the range 100-199 or 2000-2699.
• ACL names for IOS devices cannot begin with an underscore (_).
• Policies that do not preserve user-defined names include SSL VPN policies, transparent firewall
rules, and AAA rules (for IOS devices).
The following topics provide additional information about ACL naming:
• ACL Naming Conventions, page 12-5
• Resolving ACL Name Conflicts Between Policies, page 12-6
ACL Naming Conventions
When the name for the ACL is generated by Security Manager, the name is derived from the type of rule
or platform being defined and certain configuration settings that make it unique. All newly created ACLs
are given a name based on the naming conventions shown in the following table.
Tip During deployment, sometimes a suffix .n (where n is an integer) might get added to an ACL name if the
existing ACL cannot be edited in place. For example, if an ACL named acl_mdc_outside_10 already
exists on the device, a new ACL with the name acl_mdc_outside_10.1 is created if you do not remove
the old ACL before you deploy the new ACL.
Table 12-1 ACL Naming Conventions
Policy Type Naming Convention
Access ACLs
• Inbound: CSM_FW_ACL_InterfaceName
• Outbound: CSM_FW_ACL_OUT_InterfaceName
IPv6 Access ACLs
• Inbound: CSM_IPV6_FW_ACL_InterfaceName
• Outbound: CSM_IPV6_FW_ACL_OUT_InterfaceName
Note Prior to the release of Security Manager 4.4 and versions 9.0
and higher of the ASA, separate pages, policies and policy
objects were provided for configuring IPv4 and IPv6 firewall
rules and policies. With Security Manager 4.4 and ASA 9.0+,
these policies and policy objects were combined or unified.
However, for the earlier ASA versions, a separate page for IPv6
access rules is still provided in Device view, while in Policy
view, IPv4 and unified versions of the AAA-, access- and
inspection-rule policy types are provided.
Inspection Rules
• For ASA 7.0+/PIX 7.0+: CSM_CMAP_ACL_n where n is an
integer beginning with 1.
• For IOS devices, a numbered ACL.