Adding A Webtype Ace For Ip Address Matching - Cisco ASA Series Configuration Manual
Firewall cli, asa services module, and the adaptive security virtual appliance
Hide thumbs
Also See for ASA Series:
- Cli configuration manual (2164 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
Chapter 3
Access Control Lists
•
•
•
Adding a Webtype ACE for IP Address Matching
You can match traffic based on the destination address the user is trying to access. The webtype ACL
can include a mix of IPv4 and IPv6 addresses in addition to URL specifications.
To add a webtype ACE for IP address matching, use the following command:
access-list access_list_name webtype {deny | permit}
tcp dest_address_argument [operator port]
[log [[level] [interval secs] | disable | default]]
[time_range time_range_name]]
[inactive]]
Example:
hostname(config)# access-list acl_company webtype permit tcp any
Smart tunnel and ica plug-ins are not affected by an ACL with 'permit url any' because they
–
match smart-tunnel:// and ica:// types only.
–
You can use these protocols: cifs://, citrix://, citrixs://, ftp://, http://, https://, imap4://, nfs://,
pop3://, smart-tunnel://, and smtp://. You can also use wildcards in the protocol; for example,
htt* matches http and https, and an asterisk * matches all protocols. For example,
*://*.example.com matches any type URL-based traffic to the example.com network.
If you specify a smart-tunnel:// URL, you can include the server name only. The URL cannot
–
contain a path. For example, smart-tunnel://www.example.com is acceptable, but
smart-tunnel://www.example.com/index.html is not.
An asterisk * matches none or any number of characters. To match any http URL, enter
–
http://*/*.
A question mark ? matches any one character exactly.
–
Square brackets [] are range operators, matching any character in the range. For example, to
–
match both http://www.cisco.com:80/ and http://www.cisco.com:81/, enter
http://www.cisco.com:8[01]/.
Logging—log arguments set logging options when an ACE matches a packet. If you enter the log
option without any arguments, you enable syslog message 106102 at the default level (6) and for the
default interval (300 seconds). Log options are:
level—A severity level between 0 and 7. The default is 6.
–
interval secs—The time interval in seconds between syslog messages, from 1 to 600. The
–
default is 300.
disable—Disables all ACL logging.
–
default—Enables logging to message 106103. This setting is the same as not including the log
–
option.
Time Range—The time-range time_range_name option specifies a time range object, which
determines the times of day and days of the week in which the ACE is active. If you do not include
a time range, the ACE is always active.
Activation—Use the inactive option to disable the ACE without deleting it. To reenable it, enter the
entire ACE without the inactive keyword.
Cisco ASA Series Firewall CLI Configuration Guide
Configure ACLs
3-15
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
