12-6
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 12 Introduction to Firewall Services
Overview of Firewall Services
Resolving ACL Name Conflicts Between Policies
If an ACL is shared, but the policies that share the ACL are not defined identically in Security Manager,
one policy uses the original name of the ACL and the other policies use a new name generated by
Security Manager. The order of preference for determining which policy uses the original name is as
follows:
NAT0 ACLs
• Inbound: CSM_nat0_InterfaceName_in
• Outbound: CSM_nat0_InterfaceName
NAT ACLs
• Inbound: CSM_nat_InterfaceName_poolID_in
• Outbound: CSM_nat_InterfaceName_poolID
Note For PIX 6.3(x) devices, the following is added to the ACL
name: add _dns for dns, _nrseq for norandomseq, _emb## for
embryonic limit and _tcp## and _udp## for tcp and udp max
connection limits.
NAT Policy Static
Translation Rules ACLs
• For PIX 6.3(x) devices:
–
For IP:
CSM_static_globalIP_LocalInterfaceName_globalInterfaceN
ame
–
For other protocols:
CSM_static_globalIP_LocalInterfaceName_globalInterfaceN
ame_ protocol _globalPort
• For devices running other OS versions, the localIP string is added:
–
For IP:
CSM_static_localIP_globalIP_LocalInterfaceName_globalInt
erfaceName
–
For other protocols:
CSM_static_localIP_globalIP_LocalInterfaceName_globalInt
erfaceName_ protocol _globalPort
AAA ACLs For PIX/ASA/FWSM: CSM_AAA_{AUTHO | ATHEN |
ACCT}_InterfaceName _ServerGroupName
Authentication Proxy for IOS devices:
• On an interface without NAC:
CSM_AUTH-PROXY_InterfaceName_traffic type_ACL, where
InterfaceName is the interface in which the rule is applied and
traffic type is HTTP, Telnet, or FTP.
• AuthProxy and NAC on the same interface:
CSM_ADMISSION_ID_ACL, where ID is an internal identifier of
the interface role within Security Manager to which NAC is
applied.
Web Filter Rules ACLs For ASA 7.0+/PIX 7.0+: devices correspond to a filter command.
For IOS devices, a numbered ACL.
Table 12-1 ACL Naming Conventions (Continued)
Policy Type Naming Convention
