Add a Rule to an ASA Access List

You can add rules in ascending order by rule number. Packets will be verified against the rules in the sequence in which the rules were created, with the first rule taking precedence, followed by subsequent rules. You can adjust the position of any rule, if required.

Procedure


Step 1

In the left pane, click Security Devices.

Step 2

Click the ASA tab and select an ASA device by checking the corresponding check box.

Step 3

In the Management pane on the right, click Policy.

Step 4

From the Selected Access List drop-down list, select an access list that you want.

Step 5

Click the Add Rule () icon that is displayed on the right.

Note

In the ordered list, hover over the desired position and click Add Rule Here.

Step 6

In the New Access Rule window, provide the following information:

  • Order: Select where you want to insert the rule in the ordered list of rules. Rules are applied on a first-match basis and prioritized by position in the list of rules from 1 to last.

  • Action: Specify whether you are allowing (permitting) the described traffic or are blocking (dropping) it.

  • Protocol: Specify the protocol of the traffic, such as IP, TCP, UDP, ICMP, or ICMPv6. The default is IP, but you can select a more specific protocol to target traffic with more granularity.

  • Source/Destination: Define the source (originating address) and destination (target address of the traffic flow). You typically configure the IPv4 address of hosts or subnets, which you can represent with network object groups. You can assign only one object to the source or destination. To create a new network object or group, see Create or Edit ASA Network Objects and Network Groups.

  • Port: Select the port object that pairs a service type, such as TCP or UDP, and a port number or a range of port numbers.

  • SGT Group: Assign the security group you want from the list. By default, the value is Any. See Security Group Tags in ASA Policies.

  • Time Range: Define a time range for ASA network policies to allow access to networks and resources based on time of day. See ASA Time Range Objects.

  • Logging: Activity resulting from a network policy rule is not logged by default. You can activate logging for individual rules. See Log Rule Activity.

Step 7

Click Save.

The rule is added to the access list and set to Active state.

Step 8

Review and deploy the changes you made now, or wait and deploy multiple changes.