Cisco Systems ASA 5540 Network Router User Manual


  Open as PDF
of 2086
 
37-11
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter 37 Configuring Access Rules
Configuring Access Rules
Step 5 In the Source field, enter an IP address that specifies the network object group, interface IP, or any
address from which traffic is permitted or denied.
Note IPv6 must be enabled on at least one interface before you can configure an extended ACL with
an IPv6 address. For more information about enabling IPv6 on an interface, see the “Configuring
IPv6 Addressing” section on page 14-14
Step 6 In the Service field, add a service name for rule traffic, or click the ellipsis (...) to browse for a service.
Step 7 (Optional) In the Description field, add a description for this management access rule.
The description can contain multiple lines; however, each line can be no more than 100 characters in
length.
Step 8 (Optional) Logging is enabled by default. You can disable logging by unchecking the check box, or you
can change the logging level from the drop-down list. The default logging level is Informational.
Step 9 (Optional) To add a source service (TCP, UDP, and TCP-UDP only) and a time range to your access rule
that specifies when traffic can be allowed or denied, click More Options to expand the list.If you want
to turn off this Management Access Rule, uncheck Enable Rule.
Add a source service in the Source Service field, or click the ellipsis (...) to browse for a service.
The destination service and source service must be the same. Copy and paste the destination Service
field to the Source Service field.
To configure the logging interval (if you enable logging and choose a non-default setting), enter a
value in seconds in the Logging Interval field.
To select a predefined time range for this rule, from the Time Range drop-down list, choose a time
range; or click the ellipsis (...) to browse for a time range. You can also specify additional time
constraints for the time range, such as specifying the days of the week or the recurring weekly
interval in which the time range will be active.
Step 10 Click OK. The dialog box closes, and the Management Access rule is added.
Step 11 Click Apply. The rule is saved in the running configuration.
Note After you create management access rules, you can click the radio buttons at the bottom of the pane to
sort the display and show both IPv4 and IPv6 rules, IPv4 only, or IPv6 only.
Advanced Access Rule Configuration
The Advanced Access Rule Configuration dialog box lets you to set global access rule logging options.
When you enable logging, if a packet matches the access rule, the ASA creates a flow entry to track the
number of packets received within a specific interval. The ASA generates a system log message at the
first hit and at the end of each interval, identifying the total number of hits during the interval and
reporting the time of the last hit.
Note The ASApane displays the hit count information in the “last rule hit” row. To view the rule hit count and
timestamp, choose Configuration > Firewall > Advanced > ACL Manager, and hover the mouse
pointer over a cell in the ACL Manager table.