12-4
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 12 Introduction to Firewall Services
Overview of Firewall Services
ACL Names Preserved by Security Manager
Security Manager tries to preserve user-defined access control list (ACL) names as they appear in device
configurations. Security Manager can preserve the ACL names configured on a device in the following
circumstances:
If the ACL name is specified in Security Manager.
For access rules policies, you can specify ACL names in Firewall > Settings > Access Control or
Firewall > Settings > IPv6 Access Control. You can specify a given name for a single interface and
direction, but the name is used for any other interfaces and directions that use the same ACL. Keep
in mind that you cannot use the same name as an ACL policy object that you assign to other policies
on the device, and you cannot use the same name for IPv4 and IPv6 ACLs.
Note Prior to the release of Security Manager 4.4 and versions 9.0 and higher of the ASA, separate
pages, policies and policy objects were provided for configuring IPv4 and IPv6 firewall rules
and policies. With Security Manager 4.4 and ASA 9.0+, these policies and policy objects
were combined or unified. However, for the earlier ASA versions, a separate page for IPv6
access rules is still provided in Device view, while in Policy view, IPv4 and unified versions
of the AAA-, access- and inspection-rule policy types are provided.
If a policy uses an ACL policy object, the name of the policy object is used for the ACL name. ACL
policy objects created during discovery use the name of the ACL defined on the device whenever
possible. Behavior depends on an administrative setting:
If you select Allow Device Override for Policy Objects in Tools > Security Manager
Administration > Discovery, if a policy object with the same name exists in Security Manager,
but it has different content, the name is reused and a device-level override is created.
If you do not select that option, a new policy object is created with the same name but with a
number appended to it, for example, ACLobject_1. This is the default behavior.
If you select Reuse Existing Names for the Firewall Access List Names setting in Tool s > Se cu ri ty
Manager Administration > Deployment, names defined on the device are reused for firewall rules
that generate ACLs.
If the ACL is unshared, even if you change the content of the ACL in Security Manager.
If the ACL is shared, but the policies that share the ACL are defined identically in Security Manager.
If you change the content of the ACL, one ACL retains the name and the others are assigned
generated names.
Note On ASA devices and on PIX devices not running version 6.3(x), Security Manager does not reuse the
ACL name if it is used by a NAT policy static rule and contains an object-group. The ACL is deployed
with the contents of the object-group defined as the source. This is because the device requires that all
ACEs in the ACL have the same source.
Tips
If you use an ACL policy object that uses a name also used by an ACL already defined on the device,
and the existing ACL is for a command that Security Manager does not support, you will get a
deployment error asking you to choose a different name. If this happens, rename the policy object.