12-3
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter1 2 Introduction to Firewall Services
Overview of Firewall Services
One of the following:
Inspection rules (In direction), web filter rules (In direction), botnet rules, service policy rules
(IPS, QoS, Connection)—All of these are applied to the traffic. For devices that do not allow
you to configure the direction, all rules are considered to be in the In direction.
Zone-based firewall rules—If you configured zone-based rules for an IOS device, these rules
replace inspection and web filter rules (botnet rules do not apply to IOS devices).
Routing protocols are then applied to the traffic. The traffic is dropped if it cannot be routed.
(Routing policies are in the Platform folders for the various device types and are not considered
firewall policies.)
ScanSafe Web Security policies, Inspection rules (Out direction), web filter rules (Out
direction)—For IOS devices only, if you created ScanSafe policies, or inspection or web filter rules
in the Out direction, they are now applied.
Access rules (Out direction)—Finally, the traffic must pass through any Out direction access rules.
Transparent rules do not fit into this picture. Because transparent rules apply to non-IP layer-2 traffic
only, if a transparent rule applies to a packet, no other firewall rule applies to it; and conversely, if other
rules apply, the transparent rule never applies.
Related Topics
Understanding AAA Rules, page 15-1
Understanding Access Rules, page 16-1
Understanding Inspection Rules, page 17-1
Understanding Web Filter Rules, page18-1
Understanding the Zone-based Firewall Rules, page 21-3
Chapter 19, “Managing Firewall Botnet Traffic Filter Rules”
Configuring Transparent Firewall Rules, page22-1
Understanding How NAT Affects Firewall Rules
Devices that support firewall rules also allow you to configure network address translation (NAT). NAT
substitutes the real address in a packet with a mapped address that is routable on the destination network.
If you configure NAT to occur on an interface, the firewall rules that are also configured on that interface
should assess traffic based on the translated address rather than on the original (pre-NAT) address, with
the exception of ASA 8.3+ devices.
Devices running ASA software release 8.3 and higher use the original, or real, IP address when
evaluating traffic with the exception of IPSec VPN traffic policies. Thus, when you configure firewall
rules, ACL policy objects, or the IOS, QoS, and connection rules platform service policy, ensure that you
use the original addresses.
For more information about NAT, see the following topics:
ASA, PIX, FWSM devices—Understanding Network Address Translation, page23-2.
IOS devices—NAT Policies on Cisco IOS Routers, page 23-5.