Filter
Top Products
20-9
Cisco ASDM User Guide
OL-16647-01
Chapter 20 Configuring Access Rules and EtherType Rules
Configuring Access Rules
• Packet Trace—Provides detailed information about packet processing with the adaptive security
appliance, as well as information for packet sniffing and network fault isolation.
The following description summarizes the columns in the Access Rules table. You can edit the contents
of these columns by double-clicking on a table row. Rules are displayed in the order of execution. If you
right-click a rule, you see all of the options represented by the buttons above, as well as Insert and Insert
After items. These items either insert a new rule before the selected rule (Insert) or after the selected rule
(Insert After.)
• No—Indicates the order of evaluation for the rule.
• Enabled—Indicates whether the rule is enabled or disabled.
• Source—Specifies the IP address, network object group, interface IP, or any, from which traffic is
permitted or denied to the destination specified in the Destination Type field. An address column
might contain an interface name with the word any, such as inside:any. This means that any host on
the inside interface is affected by the rule.
• Destination—Specifies the IP address, network object group, interface IP, or any, to which traffic is
permitted or denied from the source specified in the Source Type field. An address column might
contain an interface name with the word any, such as outside:any. This means that any host on the
outside interface is affected by the rule. Also in detail mode, an address column might contain IP
addresses in square brackets, for example [209.165.201.1-209.165.201.30]. These addresses are
translated addresses. When an inside host makes a connection to an outside host, the firewall maps
the address of the inside host to an address from the pool. After a host creates an outbound
connection, the firewall maintains this address mapping. The address mapping structure is called an
xlate, and remains in memory for a period of time. During this time, outside hosts can initiate
connections to the inside host using the translated address from the pool, if allowed by the access
rule. Normally, outside-to-inside connections require a static translation so that the inside host
always uses the same IP address.
• Service—Shows the service or protocol specified by the rule.
• Action—The action that applies to the rule, either Permit or Deny.
• Hits—Shows the number of hits for the rule. This column is dynamically updated depending on the
frequency set in the Preferences dialog box. Hit counts are applicable for explicit rules only. No hit
count will be displayed for implicit rules in the Access Rules table.
• Logging—If you enable logging for the access rule, this column shows the logging level and the
interval in seconds between log messages.
• Time—Displays the time range during which the rule is applied.
• Description—Shows the description you entered when you added the rule. An implicit rule includes
the following description: “Implicit outbound rule.”
• Addresses—Tab that lets you add, edit, delete, or find IP names or network object groups. IP address
objects are automatically created based on source and destination entries during rule creation so that
they can easily be selected in the creation of subsequent rules. They cannot be added, edited, or
deleted manually.
• Services—Tab that lets you add, edit, delete, or find services.
• Time Ranges—Tab that lets you add, edit, or delete time ranges.