Configure Ethertype Acls - Cisco ASA Series Configuration Manual
Firewall cli, asa services module, and the adaptive security virtual appliance
Hide thumbs
Also See for ASA Series:
- Cli configuration manual (2164 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
Chapter 3
Access Control Lists
•
•
•
•
To match any http URL, you must enter http://*/* instead of http://*.
Note
The following example shows how to enforce a webtype ACL to disable access to specific CIFS shares.
In this scenario we have a root folder named "shares" that contains two sub-folders named
"Marketing_Reports" and "Sales_Reports." We want to specifically deny access to the
"shares/Marketing_Reports" folder.
access-list CIFS_Avoid webtype deny url cifs://172.16.10.40/shares/Marketing_Reports.
However, due to the implicit "deny all" at the end of the ACL, the above ACL makes all of the
sub-folders inaccessible ("shares/Sales_Reports" and "shares/Marketing_Reports"), including the root
folder ("shares").
To fix the problem, add a new ACL to allow access to the root folder and the remaining sub-folders:
access-list CIFS_Allow webtype permit url cifs://172.16.10.40/shares*
Configure EtherType ACLs
EtherType ACLs apply to non-IP layer-2 traffic in transparent firewall mode. You can use these rules to
permit or drop traffic based on the EtherType value in the layer-2 packet. With EtherType ACLs, you can
control the flow of non-IP traffic across the ASA. Note that 802.3-formatted frames are not handled by
the ACL because they use a length field as opposed to a type field.
To add an EtherType ACE, use the following command:
access-list access_list_name ethertype {deny | permit}
{ipx | bpdu | mpls-unicast | mpls-multicast | isis | any | hex_number}
Example:
hostname(config)# access-list ETHER ethertype deny ipx
The following example matches URLs such as http://www.example.com and
ftp://wwz.example.com:
access-list test webtype permit url *://ww?.e*co*/
The following example matches URLs such as http://www.cisco.com:80 and
https://www.cisco.com:81:
access-list test webtype permit url *://ww?.c*co*:8[01]/
The range operator "[]" in the preceding example specifies that either character 0 or 1 can occur at
that location.
The following example matches URLs such as http://www.example.com and
http://www.example.net:
access-list test webtype permit url http://www.[a-z]xample?*/
The range operator "[]" in the preceding example specifies that any character in the range from a to
z can occur.
The following example matches http or https URLs that include "cgi" somewhere in the file name
or path.
access-list test webtype permit url htt*://*/*cgi?*
Cisco ASA Series Firewall CLI Configuration Guide
Configure ACLs
3-17
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
