Cisco ASA 5505 Configuration Manual page 1747
Asa 5500 series
Hide thumbs
Also See for ASA 5505:
- Getting started manual (168 pages) ,
- Administrator's manual (118 pages) ,
- Hardware installation manual (82 pages)
Table of Contents
Advertisement
Appendix B
Configuring an External Server for Authorization and Authentication
Cisco AV Pairs ACL Examples
Table B-4
Each ACL # in
Note
example, they could be 5, 45, 135.
Table B-4
Examples of Cisco AV Pairs and their Permitting or Denying Action
Cisco AV Pair Example
ip:inacl#1=deny ip 10.155.10.0 0.0.0.255 10.159.2.0
0.0.0.255 log
ip:inacl#2=permit TCP any host 10.160.0.1 eq 80 log
webvpn:inacl#1=permit url http://www.website.com
webvpn:inacl#2=deny url smtp://server
webvpn:inacl#3=permit url cifs://server/share
webvpn:inacl#1=permit tcp 10.86.1.2 eq 2222 log
webvpn:inacl#2=deny tcp 10.86.1.2 eq 2323 log
webvpn:inacl#1=permit url ssh://10.86.1.2
webvpn:inacl#35=permit tcp 10.86.1.5 eq 22 log
webvpn:inacl#48=deny url telnet://10.86.1.2
webvpn:inacl#100=deny tcp 10.86.1.6 eq 23
URL Types supported in ACLs
The URL may be a partial URL, contain wildcards for the server, or contain a port.
The following URL types are supported:
any All URLs
cifs://
citrix://
citrixs://
ftp://
Note
Guidelines for using Cisco-AV Pairs (ACLs)
•
•
•
OL-20339-01
shows examples of Cisco AV pairs and describes the allow or deny actions that result.
must be unique. However, they do not need to be sequential (i.e. 1, 2, 3, 4). For
inacl#
http://
https://
ica://
imap4://
The URLs listed above appear in CLI or ASDM menus based on whether the associated plugin
is enabled.
Use Cisco-AV pair entries with the ip:inacl# prefix to enforce access lists for remote IPSec and SSL
VPN Client (SVC) tunnels.
Use Cisco-AV pair entries with the webvpn:inacl# prefix to enforce access lists for SSL VPN
clientless (browser-mode) tunnels.
For Webtype ACLs, you don't specify the source because the adaptive security appliance is the
source.
Permitting or Denying Action
Allows IP traffic between the two hosts using full tunnel
IPsec or SSL VPN client.
Allows TCP traffic from all hosts to the specific host on port
80 only using full tunnel IPsec or SSL VPN client.
Allows clientless traffic to the URL specified, denies smtp
traffic to a specific server, and allows file share access (CIFS)
to the specified server.
Denies telnet and permits SSH on non-default ports 2323 and
2222, respectively.
Allows SSH to default port 22 and 23, respectively. For this
example, we assume you are using telnet/ssh java plugins
enforced by these ACLs.
nfs://
sametime://
pop3://
smart-tunnel://
post://
smtp://
rdp://
ssh://
Cisco ASA 5500 Series Configuration Guide using ASDM
Configuring an External LDAP Server
telnet://
tn3270://
tn5250://
vnc://
B-15
- Quick Links:
- Starting Asdm
- Downloading the Asdm Launcher
Hide quick links:
Advertisement
Chapters
Table of Contents
