Configure Webtype Acls; Add A Webtype Ace For Url Matching - Cisco ASA Series Configuration Manual
Firewall cli, asa services module, and the adaptive security virtual appliance
Hide thumbs
Also See for ASA Series:
- Cli configuration manual (2164 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
Configure ACLs
The options are:
•
•
•
Configure Webtype ACLs
Webtype ACLs are used for filtering clientless SSL VPN traffic, constraining user access to specific
networks, subnets, hosts, and Web servers. If you do not define a filter, all connections are allowed. A
webtype ACL is composed of all ACEs with the same ACL ID or name.
With webtype ACLs, you can match traffic based on URLs or destination addresses. A single ACE
cannot mix these specifications. The following sections explain each type of ACE.
•
•
•
Add a Webtype ACE for URL Matching
To match traffic based on the URL the user is trying to access, use the following command;
access-list access_list_name webtype {deny | permit} url {url_string | any}
[log [[level] [interval secs] | disable | default]]
[time_range time_range_name]]
[inactive]
Example:
hostname(config)# access-list acl_company webtype deny url http://*.example.com
The options are:
•
•
•
Cisco ASA Series Firewall CLI Configuration Guide
3-14
Name—The access_list_name argument specifies the name of number of an ACL. Traditional
numbers for standard ACLs are 1-99 or 1300-1999, but you can use any name or number. You create
a new ACL if the ACL does not already exist, otherwise, you are adding the entry to the end of the
ACL.
Permit or Deny—The deny keyword denies or exempts a packet if the conditions are matched. The
permit keyword permits or includes a packet if the conditions are matched.
Destination Address—The any4 keyword matches all IPv4 addresses. The host ip_address
argument matches a host IPv4 address. The ip_address ip_mask argument matches an IPv4 subnet,
for example, 10.1.1.0 255.255.255.0.
Add a Webtype ACE for URL Matching, page 3-14
Adding a Webtype ACE for IP Address Matching, page 3-15
Examples for Webtype ACLs, page 3-16
access_list_name—The name of the new or existing ACL. If the ACL already exists, you are adding
the ACE to the end of the ACL.
Permit or Deny—The deny keyword denies or exempts a packet if the conditions are matched. The
permit keyword permits or includes a packet if the conditions are matched.
URL—The url keyword specifies the URL to match. Use url any to match all URL-based traffic.
Otherwise, enter a URL string, which can include wildcards. Following are some tips and limitations
on specifying URLs:
Specify any to match all URLs.
–
–
'Permit url any' will allow all the URLs that have the format protocol://server-ip/path and will
block traffic that does not match this pattern, such as port-forwarding. There should be an ACE
to allow connections to the required port (port 1494 in the case of Citrix) so that an implicit deny
does not occur.
Chapter 3
Access Control Lists
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
