6-74
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 6 Managing Policy Objects
Understanding Networks/Hosts Objects
Inspection Rules—When configuring inspection rules, you can use Security Manager to create
policy map objects for the following applications: DCE/RPC, DNS, ESMTP, FTP, GTP, H.323,
HTTP, IM, IP options, IPsec, NetBIOS, SIP, Skinny, and SNMP. for more information, see
Configuring Protocols and Maps for Inspection, page 17-21.
Zone-Based Firewall Inspection Rules—When configuring zone-based firewall inspection rules,
you can use Security Manager to create policy map objects for the following applications: H.323,
HTTP, IM (includes AOL, ICQ, MSN Messenger, Windows Messenger, and Yahoo Messenger),
IMAP, P2P (includes eDonkey, FastTrack, Gnutella, Kazaa2), POP3, SIP, SMTP, Sun RPC. For
more information, see Configuring Inspection Maps for Zone-based Firewall Policies, page21-15.
Zone-Based Firewall Content Filtering Rules—When configuring zone-based firewall content
filtering rules, you can use Security Manager to create Web Filter policy maps. You can also
configure HTTP policy maps to inspect HTTP traffic. For more information, see Configuring
Content Filtering Maps for Zone-based Firewall Policies, page 21-35.
IPS, QoS and Connection Rules—When configuring this service policy, which is specific to PIX
7.x+ and ASA devices, you can customize TCP inspection using a TCP map. For more information,
see Configuring TCP Maps, page 56-20 and Chapter 56, “Configuring Service Policy Rules on
Firewall Devices”.
Understanding Networks/Hosts Objects
Networks/Hosts objects are logical collections of IP addresses that represent networks, hosts, or both.
Note As of Security Manager 4.4, there are no longer separate IPv4 and IPv6 Networks/Hosts objects—there
is now a single, unified Networks/Hosts object, which may accept IPv4 addresses, IPv6 addresses, or
both (in the case of group objects). However, group objects containing a mixture of IPv4 and IPv6
addresses can be assigned only to policies on ASA 9.0.1 and later devices. See Policy Object Changes
in Security Manager 4.4, page 1-9 for more information.
When you create a Networks/Hosts object, you must choose the type of object, which defines and limits
the type of addresses the object can contain:
Group – You can include combinations of any of the following types of addresses:
Networks or subnets, specified by IPv4 addresses and subnet masks, or IPv6 prefixes and prefix
lengths.
Ranges of IPv4 or IPv6 network addresses.
Individual hosts, specified by IPv4 or IPv6 addresses (but not a domain name).
Other network/host objects, selected from a list of existing Networks/Hosts objects , including
fully qualified domain name (FQDN) objects.
FQDN – (ASA 8.4(2+) only) This object can contain a single host’s fully qualified domain name,
such as myhost.cisco.com. The device uses DNS to periodically resolve the FQDN to its IP address.
Host – This object can contain a single host IPv4 or IPv6 address, such as 10.100.10.10 or
2001:DB8::0DB8:800:200C:417A.
Address Range – This object can contain a single range of IPv4 or IPv6 addresses; the start and end
addresses must be different, with the start being lower than the end.
Network – This object can contain a single IPv4 network address and subnet mask, such as
10.100.10.0/24, or a single IPv6 prefix and prefix length, such as 2001:DB8::/32.