6-49
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter6 Managing Policy Objects
Creating Access Control List Objects
Creating Access Control List Objects
An Access Control List (ACL) object is made up of one or more access control entries (ACEs), one or
more ACL objects, or a combination of both. Each ACE is an individual permit or deny statement within
an ACL. You can use ACL policy objects in several other policies and policy objects.
You can create the following types of ACL objects:
Extended – Extended ACLs enable you to specify source and destination addresses and service (or
traffic protocol), and, based on the protocol type, the ports (for TCP or UDP), or the ICMP type (for
ICMP) can be specified. For information on extended ACL objects, see Creating Extended Access
Control List Objects, page 6-50.
Standard – Standard ACLs use the source address for matching traffic. For information on standard
ACL objects, see Creating Standard Access Control List Objects, page6-51.
Web – Web ACLs use destination address and port or a URL filter. For information on Web Type
ACL objects, Creating Web Access Control List Objects, page 6-52.
Unified – Unified ACL objects let you use source networks/hosts, source security groups, users,
destination source networks/hosts, destination security groups, and services to match traffic.
Further, the network/host specifications can contain IPv4 addresses, IPv6 addresses, or a
combination of both. (With the release of Security Manager 4.4 and the ASA 9.0+, the separate IPv4
and IPv6 addressing/objects were “unified.”) See Creating Unified Access Control List Objects,
page 6-54 for more information these ACLs.
For reference information about the dialog boxes used with these objects, see Add or Edit Access List
Dialog Boxes, page 6-55.
Group Accounting Mode
(PIX, ASA, FWSM devices
only.)
When using the RADIUS or TACACS+ protocols, the method for
sending accounting messages to the AAA servers in the group:
When using the server group for accounting (the protocol must be
RADIUS or TACACS+), the method for sending accounting messages
to the AAA servers in the group:
Single—Accounting messages are sent to a single server in the
group. This is the default.
Simultaneous—Accounting messages are sent to all servers in the
group simultaneously. If you select this option, the ASA forces the
use of Timed as the reactivation mode.
Category The category assigned to the object. Categories help you organize and
identify rules and objects. See Using Category Objects, page 6-12.
Allow Value Override per
Device
Overrides
Edit button
Whether to allow the object definition to be changed at the device level.
For more information, see Allowing a Policy Object to Be Overridden,
page 6-18 and Understanding Policy Object Overrides for Individual
Devices, page 6-17.
If you allow device overrides, you can click the Edit button to create,
edit, and view the overrides. The Overrides field indicates the number
of devices that have overrides for this object.
Table6-17 AAA Server Group Dialog Box (Continued)
Element Description