16-10
Cisco Security Appliance Command Line Configuration Guide
OL-10088-01
Chapter 16 Identifying Traffic with Access Lists
Adding a Webtype Access List
Adding a Webtype Access List
To add an access list to the configuration that supports filtering for WebVPN, enter the following
command:
hostname(config)# access-list access_list_name webtype {deny | permit} url [url_string | any]
For information about logging options that you can add to the end of the ACE, see the “Logging Access
List Activity” section on page 16-18.
Simplifying Access Lists with Object Grouping
This section describes how to use object grouping to simplify access list creation and maintenance.
This section includes the following topics:
• How Object Grouping Works, page 16-10
• Adding Object Groups, page 16-11
• Nesting Object Groups, page 16-14
• Displaying Object Groups, page 16-16
• Removing Object Groups, page 16-16
• Using Object Groups with an Access List, page 16-15
How Object Grouping Works
By grouping like-objects together, you can use the object group in an ACE instead of having to enter an
ACE for each object separately. You can create the following types of object groups:
• Protocol
• Network
• Service
• ICMP type
For example, consider the following three object groups:
• MyServices—Includes the TCP and UDP port numbers of the service requests that are allowed
access to the internal network
• TrustedHosts—Includes the host and network addresses allowed access to the greatest range of
services and servers
• PublicServers—Includes the host addresses of servers to which the greatest access is provided
After creating these groups, you could use a single ACE to allow trusted hosts to make specific service
requests to a group of public servers.
You can also nest object groups in other object groups.
To Next Page
Loading...
Need help?
General