3. Add rules to the Access List group:
a. Under the Access List name that you defined (in Step 2), click the New Entry
link; the following page appears for defining a rule:
Figure 41-12: Adding an Access List Rules
The Matching' and 'Operation' groups define the operation to be executed when
matching conditions apply.
b. Configure the 'Matching' parameters to define characteristics of the packets
matching the rule:
♦ Source Address: Specify the source address (i.e., computers) of packets
sent or received by the device. Select an address or a name from the list to
apply the rule on the corresponding host, or Any to apply the rule on all the
device's LAN hosts. If you want to add a new address, select User Defined
to add a new Network Object representing the new host (see 'Configuring
Network Objects' on page 580).
♦ Destination Address: Destination address of packets sent or received by
the device. This address can be configured in the same manner as the
source address.
♦ Protocol: Specify a traffic protocol. Selecting Show All Services expands
the list of available protocols. Select a protocol or add a new one by
selecting User Defined to add a new Service representing the protocol (see
'Configuring Protocols' on page 579).
♦ DSCP: Select this check box to display two DSCP fields, which enable you
to specify a hexadecimal DSCP value and its mask assigned to the packets
matching the priority rule.
♦ Priority: Select this check box to display a drop-down list in which you can
select a priority level assigned to the packets matching the priority rule.
c. Configure the 'Operation' parameters to define the action that the rule performs:
♦ Permit Established: Allow access to packets that match the criteria defined.
The data transfer session is handled using Stateful Packet Inspection (SPI),
meaning that other packets matching this rule are automatically allowed
access.
♦ Permit: Allow access to packets that match the criteria defined, without
keeping track of the data transfer session state.
♦ Deny: Deny access to packets that match the source and destination IP
addresses and service ports defined above.
d. Select the 'Log Packets Matched by This Rule' check box to log the first packet
from a connection that was matched by this rule.
To Next Page
Loading...
