3-17
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 3 Access Control Lists
Configure ACLs
• The following example matches URLs such as http://www.example.com and
ftp://wwz.example.com:
access-list test webtype permit url *://ww?.e*co*/
• The following example matches URLs such as http://www.cisco.com:80 and
https://www.cisco.com:81:
access-list test webtype permit url *://ww?.c*co*:8[01]/
The range operator “[]” in the preceding example specifies that either character 0 or 1 can occur at
that location.
• The following example matches URLs such as http://www.example.com and
http://www.example.net:
access-list test webtype permit url http://www.[a-z]xample?*/
The range operator “[]” in the preceding example specifies that any character in the range from a to
z can occur.
• The following example matches http or https URLs that include “cgi” somewhere in the file name
or path.
access-list test webtype permit url htt*://*/*cgi?*
Note To match any http URL, you must enter http://*/* instead of http://*.
The following example shows how to enforce a webtype ACL to disable access to specific CIFS shares.
In this scenario we have a root folder named “shares” that contains two sub-folders named
“Marketing_Reports” and “Sales_Reports.” We want to specifically deny access to the
“shares/Marketing_Reports” folder.
access-list CIFS_Avoid webtype deny url cifs://172.16.10.40/shares/Marketing_Reports.
However, due to the implicit “deny all” at the end of the ACL, the above ACL makes all of the
sub-folders inaccessible (“shares/Sales_Reports” and “shares/Marketing_Reports”), including the root
folder (“shares”).
To fix the problem, add a new ACL to allow access to the root folder and the remaining sub-folders:
access-list CIFS_Allow webtype permit url cifs://172.16.10.40/shares*
Configure EtherType ACLs
EtherType ACLs apply to non-IP layer-2 traffic in transparent firewall mode. You can use these rules to
permit or drop traffic based on the EtherType value in the layer-2 packet. With EtherType ACLs, you can
control the flow of non-IP traffic across the ASA. Note that 802.3-formatted frames are not handled by
the ACL because they use a length field as opposed to a type field.
To add an EtherType ACE, use the following command:
access-list access_list_name ethertype {deny | permit}
{ipx | bpdu | mpls-unicast | mpls-multicast | isis | any | hex_number}
Example:
hostname(config)# access-list ETHER ethertype deny ipx
To Next Page
Loading...
Need help?
General