17-12
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 17 Managing Firewall Inspection Rules
Inspection Rules Page
Add or Edit Inspect/Application FW Rule Wizard, Step 2
The options presented on the second page of the Inspect/Application FW Rule Wizard depend on your
Match Traffic By selection on the first page (see Add or Edit Inspect/Application FW Rule Wizard,
page 17-10). The possibilities are as follows:
If you select Default Protocol Ports on the first page and do not select Limit inspection between
source and destination IP addresses, the second page consists of the options described in Add or Edit
Inspect/Application FW Rule Wizard, Inspected Protocol Page, page17-16.
Default Protocol Ports
Limit inspection between
source and destination IP
addresses (PIX 7.x+, ASA,
FWSM 3.x+)
Inspect traffic based on the default ports assigned to a protocol. You
will select a protocol on the next page (Add or Edit Inspect/Application
FW Rule Wizard, Inspected Protocol Page, page 17-16).
You can also select Limit inspection between source and destination
IP addresses to configure the inspection to occur only between a
specified source and destination. Do not select this option if you want
to inspect a protocol without applying any constraints to the inspected
traffic.
If you also select this option, the next page of the wizard is described
in Add or Edit Inspect/Application FW Rule Wizard, Step 2,
page 17-12.
Custom Destination Ports Inspect traffic based on specified non-default TCP or UDP destination
ports. Select this option if you want to associate additional TCP or UDP
traffic with a given protocol, for example, treating TCP traffic on
destination port 8080 as HTTP traffic.
You will specify the protocol and port(s) on the next page of the wizard;
see Add or Edit Inspect/Application FW Rule Wizard, Step 2,
page 17-12.
Destination Address and Port
(IOS devices only)
Inspect traffic on IOS devices based on destination IP address and port.
Select this option if you want to associate additional non-default TCP
or UDP ports with a given protocol only when the traffic is going to
certain destinations, for example, if you want to treat TCP traffic on
destination port 8080 as HTTP only when the traffic is going to server
192.168.1.10.
Source and Destination
Address and Port (PIX 7.x,
ASA, FWSM 3.x)
Inspect traffic on PIX 7.x+, ASA, and FWSM 3.x+ devices based on
source and destination IP addresses and services. Select this option for
the same reason you would select Destination Address and Port for IOS
devices, although you have the additional option of identifying the
source of the traffic.
You will specify the action, sources, destinations, and Services on the
next page of the wizard; see Add or Edit Inspect/Application FW Rule
Wizard, Step 2, page 17-12.
Category The category assigned to the rule. Categories help you organize and
identify rules and objects. See Using Category Objects, page 6-12.
Description An optional description of the rule (up to 1024 characters).
Table17-2 Add and Edit Inspect/Application FW Rule Wizard Step 1: Traffic Match Method
Element Description