Filter
Top Products
21-3
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter 21 Using the ACL Manager
Adding ACLs and ACEs
Step 6 In the Source field, enter an IP address that specifies the network object group, interface IP, or any
address from which traffic is permitted or denied.
IPv6 must be enabled on at least one interface before you can configure an ACE with an IPv6 address.
For more information about enabling IPv6 on an interface, see the “Configuring IPv6 Addressing”
section on page 14-14.
Step 7 Select a destination to specify the IP addresses (host or network) that are permitted or denied to send
traffic to the IP addresses listed in the Source section.
Step 8 Specify the service to which this ACE applies. You can type a known service into the window or click
browse to select from a list of services.
Service groups let you identify multiple non-contiguous port numbers that you want to match.
For example, if you want to filter HTTP, FTP, and port numbers 5, 8, and 9, define a service group that
includes all these ports.Without service groups, you would have to create a separate rule for each port
You can create service groups for TCP, UDP, TCP-UDP, ICMP, and other protocols. A service group
with the TCP-UDP protocol contains services, ports, and ranges that might use either the TCP or
UDP protocol.
–
Protocol—Selects the protocol to which this rule applies. Possible values are ip, tcp, udp, icmp,
and other. The remaining available fields in the Protocol and Service area depend upon the
protocol you select. The next few bullets describe the consequences of each of these selections:
–
Protocol: TCP and UDP—Selects the TCP/UDP protocol for the rule. The Source Port and
Destination Port areas allow you to specify the ports that the ACL uses to match packets.
–
Source Port/Destination Port—(Available only for TCP and UDP protocols) Specifies an
operator and a port number, a range of ports, or a well-known service name from a list of
services, such as HTTP or FTP. The operator list specifies how the ACL matches the port.
Choose one of the following operators: = (equals the port number), not = (does not equal the
port number), > (greater than the port number), < (less than the port number), range (equal to
one of the port numbers in the range).
–
Group—(Available only for TCP and UDP protocols) Selects a source port service group. The
Browse (...) button opens the Browse Source Port or Browse Destination Port dialog box.
–
Protocol: ICMP—Enables you to choose an ICMP type or ICMP group from a preconfigured
list or browse (...) for an ICMP group. The Browse button opens the Browse ICMP dialog box.
–
Protocol: IP—Specifies the IP protocol for the rule in the IP protocol box. No other fields are
available when you make this selection.
–
Protocol: Other—Enables you to choose a protocol from a drop-down list, choose a protocol
group from a drop-down list, or browse for a protocol group. The Browse (...) button opens the
Browse Other dialog box.
Step 9 (Optional) Add text that provides a brief description of this rule. A description line can be up to 100
characters long, yet you can break a description into multiple lines.
Note If you add remarks with non-English characters on one platform (such as Windows) then try to
remove them from another platform (such as Linux), you might not be able to edit or delete them
because the original characters might not be correctly recognized. This limitation is due to an
underlying platform dependency that encodes different language characters in different ways.