Cisco ASA 5500 Series Configuration Guide using the CLI, 8.3
Adding a Webtype Access List
Downloads: This chapterpdf (PDF - 138.0KB) The complete bookPDF (PDF - 20.75MB) | Feedback

Adding a Webtype Access List

Table Of Contents

Adding a Webtype Access List

Licensing Requirements for Webtype Access Lists

Guidelines and Limitations

Default Settings

Using Webtype Access Lists

Task Flow for Configuring Webtype Access Lists

Adding Webtype Access Lists with a URL String

Adding Webtype Access Lists with an IP Address

Adding Remarks to Access Lists

What to Do Next

Monitoring Webtype Access Lists

Configuration Examples for Webtype Access Lists

Feature History for Webtype Access Lists


Adding a Webtype Access List


Webtype access lists are added to a configuration that supports filtering for clientless SSL VPN. This chapter describes how to add an access list to the configuration that supports filtering for WebVPN.

This chapter includes the following sections:

Licensing Requirements for Webtype Access Lists

Guidelines and Limitations

Default Settings

Using Webtype Access Lists

Monitoring Webtype Access Lists

Configuration Examples for Webtype Access Lists

Feature History for Webtype Access Lists

Licensing Requirements for Webtype Access Lists

The following table shows the licensing requirements for this feature:

Model
License Requirement

All models

Base License.


Guidelines and Limitations

This section includes the guidelines and limitations for this feature:

Context Mode Guidelines

Firewall Mode Guidelines

Additional Guidelines and Limitations

Context Mode Guidelines

Supported in single and multiple context mode.

Firewall Mode Guidelines

Supported in routed and transparent firewall mode.

IPv6 Guidelines

Supports IPv6.

Additional Guidelines and Limitations

The following guidelines and limitations apply to Webtype access lists:

The access-list webtype command is used to configure clientless SSL VPN filtering. The URL specified may be full or partial (no file specified), may include wildcards for the server, or may specify a port. See the "Adding Webtype Access Lists with a URL String" section for information about using wildcard characters in the URL string.

Valid protocol identifiers are http, https, cifs, imap4, pop3, and smtp. The RL may also contain the keyword any to refer to any URL. An asterisk may be used to refer to a subcomponent of a DNS name.

Default Settings

Table 16-1 lists the default settings for Webtype access lists parameters.

Table 16-1 Default Webtype Access List Parameters 

Parameters
Default

deny

The adaptive security appliance denies all packets on the originating interface unless you specifically permit access.

log

Access list logging generates system log message 106023 for denied packets. Deny packets must be present to log denied packets.


Using Webtype Access Lists

This section includes the following topics:

Task Flow for Configuring Webtype Access Lists

Task Flow for Configuring Webtype Access Lists

Use the following guidelines to create and implement an access list:

Create an access list by adding an ACE and applying an access list name. See the "Using Webtype Access Lists" section.

Apply the access list to an interface. See the "Configuring Access Rules" section for more information.

Adding Webtype Access Lists with a URL String

To add an access list to the configuration that supports filtering for clientless SSL VPN, enter the following command:

Command
Purpose
access-list access_list_name webtype {deny 
| permit} url [url_string | any] 
[log[[disable | default] | level] interval 
secs][time_range name]]
Example:

hostname(config)# access-list acl_company webtype deny url http://*.company.com

Adds an access list to the configuration that supports filtering for WebVPN.

The access_list_name argument specifies the name or number of an access list.

The any keyword specifies all URLs.

The deny keyword denies access if the conditions are matched.

The interval option specifies the time interval at which to generate system log message 106100; valid values are from 1 to 600 seconds.

The log [[disable | default] | level] option specifies that system log message 106100 is generated for the ACE. When the log optional keyword is specified, the default level for system log message 106100 is 6 (informational). See the log command for more information.

The permit keyword permits access if the conditions are matched.

The time_range name option specifies a keyword for attaching the time-range option to this access list element.

The url keyword specifies that a URL be used for filtering.

The url_string option specifies the URL to be filtered.

You can use the following wildcard characters to define more than one wildcard in the Webtype access list entry:

Enter an asterisk "*" to match no characters or any number of characters.

Enter a question mark "?" to match any one character exactly.

Enter square brackets "[]" to create a range operator that matches any one character in a range.


Note To match any http URL, you must enter http://*/* instead of the former method of entering http://*.


To remove an access list, use the no form of this command with the complete syntax string as it appears in the configuration.


Adding Webtype Access Lists with an IP Address

To add an access list to the configuration that supports filtering for clientless SSL VPN, enter the following command:

Command
Purpose
access-list access_list_name webtype {deny 
| permit} tcp [host ip_address | 
ip_address subnet_mask | any] [oper 
port[port]] [log[[disable | default] | 
level] interval secs][time_range name]]
Example:

hostname(config)# access-list acl_company webtype permit tcp any

Adds an access list to the configuration that supports filtering for WebVPN.

The access_list_name argument specifies the name or number of an access list.

The any keyword specifies all IP addresses.

The deny keyword denies access if the conditions are matched.

The host ip_address option specifies a host IP address.

The interval option specifies the time interval at which to generate system log message 106100; valid values are from 1 to 600 seconds.

The ip_address ip_mask option specifies a specific IP address and subnet mask.

The log [[disable | default]| level] option specifies that system log message 106100 is generated for the ACE. When the log optional keyword is specified, the default level for system log message 106100 is 6 (informational). See the log command for more information.

The permit keyword permits access if the conditions are matched.

The port option specifies the decimal number or name of a TCP or UDP port.

The time_range name option specifies a keyword for attaching the time-range option to this access list element.

To remove an access list, use the no form of this command with the complete syntax string as it appears in the configuration.


Adding Remarks to Access Lists

You can include remarks about entries in any access list, including extended, EtherType, IPv6, standard, and Webtype access lists. The remarks make the access list easier to understand.

To add a remark after the last access-list command you entered, enter the following command:

Command
Purpose
access-list access_list_name remark text
Example:
hostname(config)# access-list OUT remark - 
this is the inside admin address
 
        

Adds a remark after the last access-list command you entered.

The text can be up to 100 characters in length. You can enter leading spaces at the beginning of the text. Trailing spaces are ignored.

If you enter the remark before any access-list command, then the remark is the first line in the access list.

If you delete an access list using the no access-list access_list_name command, then all the remarks are also removed.


Example

You can add a remark before each ACE, and the remarks appear in the access list in these locations. Entering a dash (-) at the beginning of a remark helps set it apart from an ACE.

hostname(config)# access-list OUT remark - this is the inside admin address
hostname(config)# access-list OUT extended permit ip host 209.168.200.3 any
hostname(config)# access-list OUT remark - this is the hr admin address
hostname(config)# access-list OUT extended permit ip host 209.168.200.4 any
 
   

Step 1

What to Do Next

Apply the access list to an interface. See the "Configuring Access Rules" section for more information.

Monitoring Webtype Access Lists

To monitor webtype access lists, enter the following command:

Command
Purpose
show running-config access list

Displays the access-list configuration running on the adaptive security appliance.


Configuration Examples for Webtype Access Lists

The following example shows how to deny access to a specific company URL:

hostname(config)# access-list acl_company webtype deny url http://*.example.com
 
   

The following example shows how to deny access to a specific file:

hostname(config)# access-list acl_file webtype deny url 
https://www.example.com/dir/file.html
 
   

The following example shows how to deny HTTP access to any URL through port 8080:

hostname(config)# access-list acl_company webtype deny url http://my-server:8080/*
 
   

The following examples show how to use wildcards in Webtype access lists.

The following example matches URLs such as http://www.example.com/ and http://www.sample.com/:

access-list test webtype permit url http://www.**ample/ 
 
   

The following example matches URLs such as http://www.cisco.com and ftp://wwz.carrier.com:

access-list test webtype permit url *://ww?.c*co*/ 
 
   

The following example matches URLs such as http://www.cisco.com:80 and https://www.cisco.com:81:

access-list test webtype permit url *://ww?.c*co*:8[01]/ 
 
   

The range operator "[]" in the preceding example specifies that either character 0 or 1 can occur.

The following example matches URLs such as http://www.google.com and http://www.boogie.com:

access-list test webtype permit url http://www.[a-z]oo?*/ 
 
   

The range operator "[]" in the preceding example specifies that any character in the range from a to z can occur.

The following example matches URLs such as http://www.cisco.com/anything/crazy/url/ddtscgiz:

access-list test webtype permit url htt*://*/*cgi?* 
 
   

Note To match any http URL, you must enter http://*/* instead of the former method of entering http://*.


The following example shows how to enforce a webtype access list to disable access to specific CIFS shares.

In this scenario we have a root folder named "shares" that contains two sub-folders named "Marketing_Reports" and "Sales_Reports." We want to specifically deny access to the "shares/Marketing_Reports" folder.

access-list CIFS_Avoid webtype deny url cifs://172.16.10.40/shares/Marketing_Reports.
 
   

However, due to the implicit "deny all," the above access list makes all of the sub-folders inaccessible ("shares/Sales_Reports" and "shares/Marketing_Reports"), including the root folder ("shares").

To fix the problem, add a new access list to allow access to the root folder and the remaining sub-folders:

access-list CIFS_Allow webtype permit url cifs://172.16.10.40/shares*

Feature History for Webtype Access Lists

Table 16-2 lists the release history for this feature.

Table 16-2 Feature History for Webtype Access Lists 

Feature Name
Releases
Feature Information

Webtype access lists

7.0

Webtype access lists are access lists that are added to a configuration that supports filtering for clientless SSL VPN.

The feature and the following command were introduced: access-list webtype.