3-15
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 3 Access Control Lists
Configure ACLs
–
Smart tunnel and ica plug-ins are not affected by an ACL with ‘permit url any’ because they
match smart-tunnel:// and ica:// types only.
–
You can use these protocols: cifs://, citrix://, citrixs://, ftp://, http://, https://, imap4://, nfs://,
pop3://, smart-tunnel://, and smtp://. You can also use wildcards in the protocol; for example,
htt* matches http and https, and an asterisk * matches all protocols. For example,
*://*.example.com matches any type URL-based traffic to the example.com network.
–
If you specify a smart-tunnel:// URL, you can include the server name only. The URL cannot
contain a path. For example, smart-tunnel://www.example.com is acceptable, but
smart-tunnel://www.example.com/index.html is not.
–
An asterisk * matches none or any number of characters. To match any http URL, enter
http://*/*.
–
A question mark ? matches any one character exactly.
–
Square brackets [] are range operators, matching any character in the range. For example, to
match both http://www.cisco.com:80/ and http://www.cisco.com:81/, enter
http://www.cisco.com:8[01]/.
• Logging—log arguments set logging options when an ACE matches a packet. If you enter the log
option without any arguments, you enable syslog message 106102 at the default level (6) and for the
default interval (300 seconds). Log options are:
–
level—A severity level between 0 and 7. The default is 6.
–
interval secs—The time interval in seconds between syslog messages, from 1 to 600. The
default is 300.
–
disable—Disables all ACL logging.
–
default—Enables logging to message 106103. This setting is the same as not including the log
option.
• Time Range—The time-range time_range_name option specifies a time range object, which
determines the times of day and days of the week in which the ACE is active. If you do not include
a time range, the ACE is always active.
• Activation—Use the inactive option to disable the ACE without deleting it. To reenable it, enter the
entire ACE without the inactive keyword.
Adding a Webtype ACE for IP Address Matching
You can match traffic based on the destination address the user is trying to access. The webtype ACL
can include a mix of IPv4 and IPv6 addresses in addition to URL specifications.
To add a webtype ACE for IP address matching, use the following command:
access-list access_list_name webtype {deny | permit}
tcp dest_address_argument [operator port]
[log [[level] [interval secs] | disable | default]]
[time_range time_range_name]]
[inactive]]
Example:
hostname(config)# access-list acl_company webtype permit tcp any
To Next Page
Loading...
Need help?
General