Cisco Systems ASA 5545-X, ASA 5555-X, ASA 5580, ASA 5585-X, ASA Services Module, ASA 5505 Configuring Management Access Rules

7-10

Cisco ASA Series Firewall ASDM Configuration Guide

Chapter7 Configuring Access Rules

Guidelines and Limitations

Step5 In the Action field, click one of the following radio buttons next to the desired action:

•Permit—Permits access if the conditions are matched.

•Deny—Denies access if the conditions are matched.

Step6 In the EtherType field, choose an EtherType value from the drop-down list.

Step7 (Optional) In the Description field, add a test description about the rule.

The description can contain multiple lines; however, each line can be no more than 100 characters in

length.

Step8 (Optional) To specify the direction for this rule, click More Options to expand the list, and then specify

the direction by clicking one of the following radio buttons:

•In—Incoming traffic

•Out—Outgoing traffic

Step9 Click OK.

Configuring Management Access Rules

You can configure an interface ACL that supports access control for to-the-box management traffic from

a specific peer (or set of peers) to the security appliance. One scenario in which this type of ACL would

be useful is when you want to block IKE Denial of Service attacks.

To configure an extended ACL that permits or denies packets for to-the-box traffic, perform the

following steps:

Step1 Choose Configuration > Device Management > Management Access > Management Access Rules.

Step2 Click Add, and choose one of the following actions:

The Add Management Access Rule dialog box appears.

Step3 From the Interface drop-down list, choose an interface on which to apply the rule. Choose Any to apply

a global rule.

Step4 In the Action field, click one of the following radio buttons to choose the action:

•Permit—Permits access if the conditions are matched.

•Deny—Denies access if the conditions are matched.

Step5 In the Source field, enter an IP address that specifies the network object group, interface IP, or any

address from which traffic is permitted or denied. You may use either an IPv4 or IPv6 address.

Note IPv6 must be enabled on at least one interface before you can configure an extended ACL with

an IPv6 address. For more information about enabling IPv6 on an interface, see the “Configuring

IPv6 Addressing” section on page 13-15 in the general operations configuration guide.

Step6 In the Service field, add a service name for rule traffic, or click the ellipsis (...) to browse for a service.

Step7 (Optional) In the Description field, add a description for this management access rule.

The description can contain multiple lines; however, each line can be no more than 100 characters in

length.

Cisco Systems Configuring Management Access Rules