Cisco Systems ASA 5510, ASA 5512-X, ASA 5515-X, ASA 5520, ASA 5525-X, ASA 5540, ASA 5545-X, ASA 5550, ASA 5555-X, ASA 5580, ASA 5585-X, ASA 5505 Configuring Management Access Rules

37-10

Cisco ASA 5500 Series Configuration Guide using ASDM

Chapter37 Configuring Access Rules

Configuring Access Rules

•No—Indicates the order of evaluation for the rule.

•Action—Permit or deny action for this rule.

•Ethervalue—EtherType value: IPX, BPDU, MPLS-Unicast, MPLS-Multicast, or a 16-bit

hexadecimal value between 0x600 (1536) and 0xffff by which an EtherType can be identified.

•Interface—Interface to which the rule is applied.

•Direction Applied—Direction for this rule: incoming traffic or outgoing traffic.

•Description—Optional text description of the rule.

Configuration> Security Policy > Ethertype Rules > Add/Edit Ethertype Rules

The Add/Edit EtherTypeRules dialog box lets you add or edit an EtherType rule.

For more information about EtherType rules, see the “Information About Access Rules” section on

page 37-1.

Fields

•Action—Permit or deny action for this rule.

•Interface—Interface name for this rule.

•Apply rule to—Direction for this rule: incoming traffic or outgoing traffic.

•Ethervalue—EtherType value: BPDU, IPX, MPLS-Unicast, MPLS-Multicast, any (any value

between 0x600 and 0xffff), or a 16-bit hexadecimal value between 0x600 (1536) and 0xffff by which

an EtherType can be identified.

•Description—Optional text description of the rule.

Configuring Management Access Rules

You can configure an interface ACL that supports access control for to-the-box management traffic from

a specific peer (or set of peers) to the security appliance. One scenario in which this type of ACL would

be useful is when you want to block IKE Denial of Service attacks.

To configure an extended ACL that permits or denies packets for to-the-box traffic, perform the

following steps:

Step1 Choose Configuration > Device Management > Management Access > Management Access Rules.

Step2 Click Add, and choose one of the following actions:

•Add Management Access Rule

•Add IPv6 Management Access Rule

The appropriate Add Management Access Rule dialog box appears.

Step3 From the Interface drop-down list, choose an interface on which to apply the rule. Choose Any to apply

a global rule.

Step4 In the Action field, click one of the following radio buttons to choose the action:

•Permit—Permits access if the conditions are matched.

•Deny—Denies access if the conditions are matched.

Cisco Systems Configuring Management Access Rules