Cisco ASA 5505 Configuration Manual page 334

•
•
•
Extended ACL
This pane provides summary information about extended ACLs, and lets you add or edit ACLs and
ACEs.
Fields
•
•
•
•
•
•
•
•
•
•
•
•
•
Cisco ASA 5500 Series Configuration Guide using ASDM
15-2
Action—Determines the action typpe of the new rule. Select either permit or deny.
Permit—Permits all matching traffic.
–
Deny—Denies all matching traffic.
–
Description—Shows the description you typed when you added the rule. An implicit rule includes
the following description: "Implicit outbound rule."
More Options—Lets you specify the source service (TCP or UDP only), a time range, and logging
interval.
Add—Lets you add a new ACL. When you highlight an existing ACL, it lets you add a new ACE
for that ACL.
Edit—Opens the Edit ACE dialog box, in which you can change an existing access control list rule.
Delete—Removes an ACL or ACE. There is no confirmation or undo.
Move Up/Move Down—Changes the position of a rule in the ACL Manager table.
Cut—Removes the selection from the ACL Manager table and places it on the clipboard.
Copy—Places a copy of the selection on the clipboard.
Paste—Opens the Paste ACE dialog box, in which you can create a new ACL rule from an existing
rule.
No—Indicates the order of evaluation for the rule. Implicit rules are not numbered, but are
represented by a hyphen.
Enabled—Enables or disables a rule. Implicit rules cannot be disabled.
Source—Specifies the IP addresses (Host/Network) that are permitted or denied to send traffic to
the IP addresses listed in the Destination column. In detail mode (see the Show Detail radio button),
an address column might contain an interface name with the word any, such as inside: any. This
means that any host on the inside interface is affected by the rule.
Destination—Specifies the IP addresses (Host/Network) that are permitted or denied to send traffic
to the IP addresses listed in the Source column. An address column might contain an interface name
with the word any, such as outside: any. This means that any host on the outside interface is affected
by the rule. An address column might also contain IP addresses; for example
209.165.201.1-209.165.201.30. These addresses are translated addresses. When an inside host
makes a connection to an outside host, the firewall maps the address of the inside host to an address
from the pool. After a host creates an outbound connection, the firewall maintains this address
mapping. The address mapping structure is called an xlate, and remains in memory for a period of
time. During this time, outside hosts can initiate connections to the inside host using the translated
address from the pool, if allowed by the ACL. Normally, outside-to-inside connections require a
static translation so that the inside host always uses the same IP address.
Service—Names the service and protocol specified by the rule.
Action—Specifies whether this filter permits or denies traffic flow.
Chapter 15 Using the ACL Manager
OL-20339-01