Cisco Systems ASA 5545-X, ASA 5505, ASA 5555-X Advanced Access Rule Configuration, Prerequisites

Chapter 7 Configuring Access Rules

Guidelines and Limitations

Step 8 (Optional) Logging is enabled by default. You can disable logging by unchecking the check box, or you can change the logging level from the drop-down list. The default logging level is Informational.

Step 9 (Optional) To add a source service (TCP, UDP, and TCP-UDP only) and a time range to your access rule that specifies when traffic can be allowed or denied, click More Options to expand the list.If you want to turn off this Management Access Rule, uncheck Enable Rule.

•Add a source service in the Source Service field, or click the ellipsis (...) to browse for a service.

The destination service and source service must be the same. Copy and paste the destination Service field to the Source Service field.

•To configure the logging interval (if you enable logging and choose a non-default setting), enter a value in seconds in the Logging Interval field.

•To select a predefined time range for this rule, from the Time Range drop-down list, choose a time range; or click the ellipsis (...) to browse for a time range. You can also specify additional time constraints for the time range, such as specifying the days of the week or the recurring weekly interval in which the time range will be active.

Step 10 Click OK. The dialog box closes, and the Management Access rule is added.

Step 11 Click Apply. The rule is saved in the running configuration.

Advanced Access Rule Configuration

The Advanced Access Rule Configuration dialog box lets you to set global access rule logging options.

When you enable logging, if a packet matches the access rule, the ASA creates a flow entry to track the number of packets received within a specific interval. The ASA generates a system log message at the first hit and at the end of each interval, identifying the total number of hits during the interval and reporting the time of the last hit.

Note The ASApane displays the hit count information in the “last rule hit” row. To view the rule hit count and timestamp, choose Configuration > Firewall > Advanced > ACL Manager, and hover the mouse pointer over a cell in the ACL Manager table.

At the end of each interval, the ASA resets the hit count to 0. If no packets match the access rule during an interval, the ASA deletes the flow entry.

A large number of flows can exist concurrently at any point of time. To prevent unlimited consumption of memory and CPU resources, the ASA places a limit on the number of concurrent deny flows; the limit is placed only on deny flows (and not permit flows) because they can indicate an attack. When the limit is reached, the ASA does not create a new deny flow until the existing flows expire. If someone initiates a denial of service attack, the ASA can create a very large number of deny flows in a very short period of time. Restricting the number of deny-flows prevents unlimited consumption of memory and CPU resources.

Prerequisites

These settings only apply if you enable the newer logging mechanism for the access rule.

Fields

•Maximum Deny-flows—The maximum number of deny flows permitted before the ASA stops logging, between 1 and the default value. The default is 4096.

Cisco ASA Series Firewall ASDM Configuration Guide

7-11