Cisco PIX 500 Series Configuration Manual page 1005
Security appliance command line
Hide thumbs
Also See for PIX 500 Series:
- Administration manual (653 pages) ,
- Quick start manual (72 pages) ,
- User manual (60 pages)
Table of Contents
Advertisement
Appendix B
Sample Configurations
access-list maia2 remark -Permits access to the site using ssh.
access-list maia2 remark -To be enforced via Port-Forwarding application.
access-list maia2 webtype permit tcp asa-35.example.com 255.255.255.255 eq ssh
access-list maia2 remark -Denies access to the application on port 1533.
access-list maia2 webtype deny tcp im.example.com 255.255.255.255 eq 1533
access-list maia2 remark -Permits access to files on this file share via
access-list maia2 remark -WebVPN Common Internet File System (CIFS).
access-list maia2 webtype permit url cifs://server-bos/people/mkting log informational
3600
You can configure a list of pre-configured URLs presented on the clientless SSL VPN user's home page
Step 3
after login, which are defined per user or per group.
url-list HomeURL "Sales" https://sales.example.com
url-list HomeURL "VPN3000-1" http://vpn3k-1.example.com
url-list HomeURL "OWA-2000" http://10.160.105.2/exchange
url-list HomeURL "Exchange5.5" http://10.86.195.113/exchange
url-list HomeURL " Employee Benefits" http://benefits.example.com
url-list HomeURL "Calendar" http://http://eng.example.com/cal.html
Configure a list of non-web TCP applications that will be port-forwarded over clientless SSL VPN and
Step 4
enforced per user or per group-policy. These are defined globally but can be enforced per user or per
group-policy.
port-forward Apps1 4001 10.148.1.81 telnet term-servr
port-forward Apps1 4008 router1-example.com ssh
port-forward Apps1 10143 flask.example.com imap4
port-forward Apps1 10110 flask.example.com pop3
port-forward Apps1 10025 flask.example.com smtp
port-forward Apps1 11533 sametime-im.example.com 1533
port-forward Apps1 10022 secure-term.example.com ssh
port-forward Apps1 21666 tuscan.example.com 1666 perforce-f1
port-forward Apps1 1030 sales.example.com https
Configure the policy attributes enforced for users of the SSLVPN users group-policy.
Step 5
group-policy SSLVPNusers internal
group-policy SSLVPNusers attributes
banner value Welcome to Web Services !!!
vpn-idle-timeout 2
vpn-tunnel-protocol IPSec webvpn
webvpn
Next, configure the interface(s) where ASDM and clientless SSL VPN HTTPS sessions will terminate.
Step 6
! Enables the HTTP server to allow ASDM and WebVPN HTTPS sessions.
http server enable
! Allows ASDM session(s) from host 10.20.30.47 on the inside interface
http 10.10.10.45 inside
! Allows WebVPN sessions on outside interfce using HTTP to be re-directed to HTTPS.
http redirect outside 80
! Allows WebVPN sessions on dmz1 interfce using HTTP to be re-directed to HTTPS.
http redirect dmz161 80
Next, allow HTTPS ASDM and clientless SSL VPN sessions to terminate on the security appliance using
Step 7
the 3DES-sha1 cipher. Requires that a proper 3DES activation-key be previously installed.
ssl encryption 3des-sha1
ssl trust-point CA-MS inside
Finally, configure the email proxy settings.
Step 8
imap4s
OL-12172-03
url-list value HomeURL
port-forward value Apps1
Example 5: Clientless SSL VPN Configuration
Cisco Security Appliance Command Line Configuration Guide
B-17
Advertisement
Table of Contents
Troubleshooting
