16-8
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 16 Managing Firewall Access Rules
Configuring Access Rules
Tip If you do not select a row, the new rule is added at the end of the local scope. You can also select
an existing row and edit either the entire row or specific cells. For more information, see Editing
Rules, page 12-9. Special rules apply if you mix interface-specific and global rules in a policy;
for more information, see Understanding Global Access Rules, page 16-3.
Step 3 Configure the rule. Following are the highlights of what you typically need to decide. For specific
information on configuring the fields, see Add and Edit Access Rule Dialog Boxes, page 16-13.
• Permit or Deny—Whether you are allowing traffic that matches the rule or dropping it.
• Source and Destination addresses—If the rule should apply no matter which addresses generated the
traffic or their destinations, use “All-Addresses” as the source or destination. If the rule is specific
to a host or network, enter the addresses or network/host objects. For information on the accepted
address formats, see Specifying IP Addresses During Policy Definition, page 6-81.
• Source and Destination Security Groups (ASA 9.0+ only)—You can specify TrustSec security
groups used to filter traffic in addition to the source and destination addresses. See Selecting
Security Groups in Policies, page 14-13, Configuring TrustSec-Based Firewall Rules, page 14-13
and Creating Security Group Objects, page 14-12 for more information about security groups.
• Source Users (ASA 8.4.2+ only)—You can further define the traffic source by specifying Active
Directory (AD) user names (in the format NetBIOS_DOMAIN\username), user groups
(NetBIOS_DOMAIN\\user_group), or identity user group objects that define the names and groups.
The user specification is conjoined to the source address to limit the match to user addresses within
the source address range. For more information, see Configuring Identity-Based Firewall Rules,
page 13-21 and Creating Identity User Group Objects, page 13-19.
• Services—Use the IP service to apply to any traffic (for example, if you want to deny all traffic from
a specific source). Otherwise, select the more specific service, which is a protocol and port
combination, that you are targeting.
• Interfaces or Global—The interface or interface role for which you are configuring the rule, or
Global to create global access rules on ASA 8.3+ devices (see Understanding Global Access Rules,
page 16-3).
• Advanced settings—Click Advanced to open the Advanced dialog box for configuring additional
settings. You can configure the following options; for detailed information, see Advanced and Edit
Options Dialog Boxes, page 16-15.
–
Logging options. If you are using Security Manager or CS-MARS to monitor the device, ensure
that you enable logging.
–
The direction of traffic to which this rule should apply (in or out). The default is in. You cannot
change this setting for global rules.
–
The time range for the rule, which allows you to configure rules that work only for specific
periods of time, such as during working hours. For more information, see Configuring Time
Range Objects, page 6-66.
–
IOS device options for fragmentation and allowing the return of traffic for established outbound
sessions.
–
Rule expiration dates and notification settings. For more information, see Configuring
Expiration Dates for Access Rules, page 16-19.
Click OK when you are finished defining your rule.