16-20
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 16 Managing Firewall Access Rules
Configuring Settings for Access Control
Related Topics
Rule Expiration Page, page 11-48
Configuring Access Rules, page 16-7
Configuring Settings for Access Control
You can configure various settings that apply to security-device access control lists. These settings work
in conjunction with your access rules policy. The main setting of interest is that you can configure your
own ACL names for each interface/traffic direction combination, or for the global ACL on ASA 8.3+
devices. For PIX, ASA, and FWSM devices, you can also control the maximum number of concurrent
flows and the related syslog interval.
You can also configure an interface to allow per-user downloadable ACLs for PIX, ASA, and FWSM
devices. This allows you to configure user-based ACLs in your AAA server to override the ACLs defined
on a device.
Note With the release of Security Manager 4.4 and versions 9.0 and higher of the ASA, the separate pages for
configuring IPv4 and IPv6 access control were unified. However, for the earlier ASA versions, a separate
page for IPv6 settings is still provided. The following descriptions apply to apply to all versions of the
page, except where noted.
Related Topics
Configuring Access Rules, page 16-7
Step 1 Do one of the following to open the Access Control Settings Page, page16-21:
(Device v iew) Select Firewall > Settings > Access Control (or Firewall > Settings > IPv6 Access
Control) from the Policies selector.
(Policy view) Select Firewall > Settings > Access Control (or Firewall > Settings > IPv6 Access
Control) from the Policy Type selector. Select an existing policy or create a new one.
Step 2 Configure the global settings in the top part of the page. For PIX, ASA, and FWSM devices, you can
define the maximum number of concurrent deny flows and the related syslog interval. For ASA 8.3+
devices, you can enable object group search to optimize ACL performance when converting from
Checkpoint, but this setting is not recommended unless you have a memory-constrained device. (Not
available on the IPv6 Access Control page.)
For specific information about these settings, and the platforms that support ACL compilation, see
Access Control Settings Page, page 16-21.
Step 3 For each interface on which you want to configure an ACL name, or enable per-user ACLs, add the
interface to the interfaces table by clicking the Add Row button beneath the table and filling in the
Firewall ACL Setting Dialog Box, page16-23. Keep the following in mind:
If you configure an ACL name, the name is applied to the specific interface and direction. Security
Manager creates system-generated names for any interface/direction combinations that you do not
specifically name.
You can also specify the name of the global ACL for ASA 8.3+ devices.