Cisco Systems CL-28826-01

16-24

User Guide for Cisco Security Manager 4.4

OL-28826-01

Chapter 16 Managing Firewall Access Rules

Configuring Settings for Access Control

Field Reference

Table16-6 Firewall ACL Setting Dialog Box

Element Description

Interface

Global (ASA 8.3+)

Specify whether you are configuring settings for specific interfaces (or

interface roles), or for global rules on ASA 8.3+ devices.

If you select Interface, specify the name of the interface or interface

role for which you are configuring settings. Enter the name or click

Select to select it from a list or to create a new object.

If you select Global, your only option is to specify the name of the

global ACL.

Traffic Direction The direction of the traffic through the interface, In or Out. The settings

you configure apply only to this direction, if direction matters.

For global ACLs on ASA 8.3+ devices, the direction is always in.

User Defined ACL Name

(checkbox not presented on

the IPv6 Access Control

page)

ACL Nam e

Whether you want to supply the name for the ACL. If you select this

option, enter the name you want to use, which is applied to the ACL

generated for the interface and direction combination. The name must

be unique on the device.

If you are configuring the name for the global ACL on ASA 8.3+

devices, the option is automatically selected; simply enter the desired

name.

If you do not configure a name, Security Manager generates a name for

you.

Enable Per User

Downloadable ACLs (PIX,

ASA, FWSM)

(not presented on the IPv6

Access Control page)

Whether to enable the download of per-user ACLs to override the ACLs

on the interface. User ACLs are configured in a AAA server; they are

not configured in Security Manager. If there are no per-user ACLs, the

access rules configured for the interface are applied to the traffic.

The option is configured on the device for the specified interface only

when the Traffic Direction is in.

Enable Object Group Search

(PIX 6.x)

(not presented on the IPv6

Access Control page)

Whether to enable object group search on a PIX 6.x interface, which

reduces the memory requirement on the device to hold large ACLs.

However, object group search impacts performance by making ACL

processing slower for each packet.

Object group search is recommended when you have very large object

groups.

Tip If you are trying to configure object group search on ASA 8.3+

devices, the setting is on the Access Control Settings Page,

page 16-21.