30-11
Cisco ASA 5500 Series Configuration Guide using ASDM
OL-20339-01
Chapter 30 Configuring Access Rules
Configuring Access Rules
Step 7 (Optional) In the Description field, add a description for this management access rule.
Step 8 (Optional) If you want to receive log messages for this access rule, check Enable Logging, and then
from the Logging Level drop-down list, choose the log level to apply. The default level is Informational.
Step 9 (Optional) To configure advanced options, click More Options to configure the following settings:
• If you want to turn off this Management Access Rule, uncheck Enable Rule.
• Add a source service in the Source Service field, or click the ellipsis (...) to browse for a service.
The destination service and source service must be the same. Copy and paste the destination Service
field to the Source Service field.
• To configure the logging interval (if you enable logging and choose a non-default setting), enter a
value in seconds in the Logging Interval field.
• To select a predefined time range for this rule, from the Time Range drop-down list, choose a time
range; or click the ellipsis (...) to browse for a time range.
The Add Time Range dialog box appears. For information about adding a time range, see the
“Configuring Time Ranges” section on page 13-15.
Step 10 Click OK. The dialog box closes and the Management Access rule is added.
Step 11 Click Apply. The rule is saved in the running configuration.
Note After you create management access rules, you can click the radio buttons at the bottom of the pane to
sort the display and show both IPv4 and IPv6 rules, IPv4 only, or IPv6 only.
Advanced Access Rule Configuration
The Advanced Access Rule Configuration dialog box lets you set access rule logging options.
When you enable logging, if a packet matches the access rule, the adaptive security appliance creates a
flow entry to track the number of packets received within a specific interval. The adaptive security
appliance generates a system log message at the first hit and at the end of each interval, identifying the
total number of hits during the interval and reporting the time of the last hit.
Note The adaptive security appliancepane displays the hit count information in the “last rule hit” row. To view
the rule hit count and timestamp, choose Configuration > Firewall > Advanced > ACL Manager, and
hover the mouse pointer over a cell in the ACL Manager table.
At the end of each interval, the adaptive security appliance resets the hit count to 0. If no packets match
the access rule during an interval, the adaptive security appliance deletes the flow entry.
A large number of flows can exist concurrently at any point of time. To prevent unlimited consumption
of memory and CPU resources, the adaptive security appliance places a limit on the number of
concurrent deny flows; the limit is placed only on deny flows (and not permit flows) because they can
indicate an attack. When the limit is reached, the adaptive security appliance does not create a new deny
flow until the existing flows expire. If someone initiates a denial of service attack, the adaptive security
appliance can create a very large number of deny flows in a very short period of time. Restricting the
number of deny-flows prevents unlimited consumption of memory and CPU resources.
To Next Page
Loading...
Need help?
General
