Cisco Systems CL-28826-01 Security Camera User Manual


  Open as PDF
of 2616
 
22-2
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 22 Managing Transparent Firewall Rules
Configuring Transparent Firewall Rules
Tip On ASA, PIX, and FWSM in transparent mode, you must configure access rules to allow any IP traffic
to pass through the device. Transparent rules control layer 2 non-IP traffic only.
Also, see NAT in Transparent Mode, page 23-15 for information about using network address
translation on security devices.
You can also configure other types of firewall rules on these interfaces. The other types of rules apply to
layer-3 and higher traffic.
Tip If you configure any transparent rule, an implicit deny all rule is added at the end of the rule list for each
interface. You must ensure that you permit all desired traffic. You might want to include a permit any
(for ASA/PIX/FWSM devices) or permit 0x0000 0xFFFF (for IOS devices) rule as the final rule in the
table if your desire is simply to deny specific types of traffic, rather than permitting only specific types
of traffic.
Related Topics
Adding and Removing Rules, page 12-9
Editing Rules, page 12-9
Enabling and Disabling Rules, page 12-20
Step 1 Do one of the following to open the Transparent Rules Page, page 22-3:
(Device view) Select Firewall > Transparent Rules from the Policy selector for a supported device
type.
(Policy view) Select Firewall > Transparent Rules from the Policy Type selector. Select an
existing policy or create a new one.
Step 2 Select the row after which you want to create the rule and click the Add Row button or right-click and
select Add Row. This opens the Add and Edit Transparent Firewall Rule Dialog Boxes, page 22-5.
Tip If you do not select a row, the new rule is added at the end of the local scope. You can also select
an existing row and edit either the entire row or specific cells. For more information, see Editing
Rules, page 12-9.
Step 3 Configure the rule. Following are the highlights of what you typically need to decide. For specific
information on configuring the fields, see Add and Edit Transparent Firewall Rule Dialog Boxes,
page 22-5.
Permit or Deny—Whether you are allowing traffic that matches the rule or dropping it.
Interfaces—The interface or interface role for which you are configuring the rule.
The direction of traffic to which this rule should apply (in or out). The default is in.
EtherType—The hexadecimal code or keyword (for ASA/PIX/FWSM only) that identifies the
traffic. For a list of codes, see RFC 1700 at http://www.ietf.org/rfc/rfc1700.txt and search for “Ether
Type.” For ASA/PIX/FWSM, you can select a keyword to identify some EtherTypes. For
ASA/PIX/FWSM, the code must be 0x0600 at minimum.
Mask—For rules applied to IOS devices, you must also specify a mask to apply to the EtherType.
Use 0xFFFF to have the EtherType interpreted literally.