Cisco ASA 5505 Configuration Manual page 1328

ACL Manager
• Protocol and Service—Specifies the protocol and service to which this ACE filter applies. Service
groups let you identify multiple non-contiguous port numbers that you want the ACL to match. For
example, if you want to filter HTTP, FTP, and port numbers 5, 8, and 9, define a service group that
includes all these ports. Without service groups, you would have to create a separate rule for each
port.
You can create service groups for TCP, UDP, TCP-UDP, ICMP, and other protocols. A service group
with the TCP-UDP protocol contains services, ports, and ranges that might use either the TCP or
UDP protocol.
Rule Flow Diagram—(Display only) Provides a graphical representation of the configured rule flow.
•
This same diagram appears on the ACL Manager dialog box unless you explicitly close that display.
• Options—Sets optional features for this rule, including logging parameters, time ranges, and
description.
Cisco ASA 5500 Series Configuration Guide using ASDM
64-18
Network Object Group—Specifies the name of the network object group. Choose a name from
–
the drop-down list or click the ellipsis (...) button to browse for a network object group name.
– Interface IP—Specifies the interface on which the host or network resides. Select an interface
from the drop-down list. The default values are inside and outside. There is no browse function.
– Protocol—Selects the protocol to which this rule applies. Possible values are ip, tcp, udp, icmp,
and other. The remaining available fields in the Protocol and Service area depend upon the
protocol you select. The next few bullets describe the consequences of each of these selections:
Protocol: TCP and UDP—Selects the TCP/UDP protocol for the rule. The Source Port and
–
Destination Port areas allow you to specify the ports that the ACL uses to match packets.
Source Port/Destination Port—(Available only for TCP and UDP protocols) Specifies an
–
operator and a port number, a range of ports, or a well-known service name from a list of
services, such as HTTP or FTP. The operator list specifies how the ACL matches the port.
Choose one of the following operators: = (equals the port number), not = (does not equal the
port number), > (greater than the port number), < (less than the port number), range (equal to
one of the port numbers in the range).
Group—(Available only for TCP and UDP protocols) Selects a source port service group. The
–
Browse (...) button opens the Browse Source Port or Browse Destination Port dialog box.
Protocol: ICMP—Lets you choose an ICMP type or ICMP group from a preconfigured list or
–
browse (...) for an ICMP group. The Browse button opens the Browse ICMP dialog box.
Protocol: IP—Specifies the IP protocol for the rule in the IP protocol box. No other fields are
–
available when you make this selection.
Protocol: Other—Lets you choose a protocol from a drop-down list, choose a protocol group
–
from a drop-down list, or browse for a protocol group. The Browse (...) button opens the Browse
Other dialog box.
– Logging—Enables or disables logging or specifies the use of the default logging settings. If
logging is enabled, the Syslog Level and Log Interval fields become available.
Syslog Level—Selects the level of logging activity. The default is Informational.
–
Log Interval—Specifies the interval for permit and deny logging. The default is 300 seconds.
–
The range is 1 through 6000 seconds.
Time Range—Selects the name of the time range to use with this rule. The default is (any). Click
–
the Browse (...) button to open the Browse Time Range dialog box to select or add a time range.
Description—(Optional) Provides a brief description of this rule. A description line can be up
–
to 100 characters long, but you can break a description into multiple lines.
Chapter 64 General VPN Setup
OL-20339-01