Adding a Webtype Access List

Webtype access lists are added to a configuration that supports filtering for clientless SSL VPN. This chapter describes how to add an access list to the configuration that supports filtering for WebVPN.

This chapter includes the following sections:

Licensing Requirements for Webtype Access Lists

The following table shows the licensing requirements for this feature:

 

Model
License Requirement

All models

Base License.

Guidelines and Limitations

This section includes the guidelines and limitations for this feature:

Context Mode Guidelines

Supported in single and multiple context mode.

Firewall Mode Guidelines

Supported in routed and transparent firewall mode.

IPv6 Guidelines

Supports IPv6.

Additional Guidelines and Limitations

The following guidelines and limitations apply to Webtype access lists:

  • There are two types of webtype ACLs; URL based ACLs and TCP based ACLs. URL based ACLs are used to allow or deny URLs with the format -protocol://ip-address/path, these ACLs are for filtering based on clientless features. TCP based ACLs are used to allow or deny ip-address and port.
  • Permitting one type of an ACL creates an implicit deny for the other type of ACL.
  • The access-list webtype command is used to configure clientless SSL VPN filtering. The URL specified may be full or partial (no file specified), may include wildcards for the server, or may specify a port. See the “Adding Webtype Access Lists with a URL String” section for information about using wildcard characters in the URL string.
  • Valid protocol identifiers are http, https, cifs, imap4, pop3, and smtp. The RL may also contain the keyword any to refer to any URL. An asterisk may be used to refer to a subcomponent of a DNS name.
  • Smart tunnel and ica plug-ins are not affected by an ACL with ‘permit url any’ because they match smart-tunnel:// and ica:// types.
  • ‘Permit url any' will allow all the urls that have format protocol://server-ip/path and will block traffic that does not match any of the protocol://address/path such as port-forwarding; the ASA admin should explicitly set an ACE to allow connection to the required port (port 1494 in case of citrix) so that an implicit deny does not occur.

Default Settings

Table 18-1 lists the default settings for Webtype access lists parameters.

 

Table 18-1 Default Webtype Access List Parameters

Parameters
Default

deny

The ASA denies all packets on the originating interface unless you specifically permit access.

log

Access list logging generates system log message 106023 for denied packets. Deny packets must be present to log denied packets.

Using Webtype Access Lists

This section includes the following topics:

Task Flow for Configuring Webtype Access Lists

Use the following guidelines to create and implement an access list:

Adding Webtype Access Lists with a URL String

To add an access list to the configuration that supports filtering for clientless SSL VPN, enter the following command:

 

Command
Purpose
access-list access_list_name webtype { deny | permit } url [ url_string | any ] [ log [[ disable | default ] | level ] interval secs ][ time_range name ]]
 

hostname(config)# access-list acl_company webtype deny url http://*.cisco.example

Adds an access list to the configuration that supports filtering for WebVPN.

The access_list_name argument specifies the name or number of an access list.

The any keyword specifies all URLs.

The deny keyword denies access if the conditions are matched.

The interval option specifies the time interval at which to generate system log message 106100; valid values are from 1 to 600 seconds.

The log [[ disable | default ] | level ] option specifies that system log message 106100 is generated for the ACE. When the log optional keyword is specified, the default level for system log message 106100 is 6 (informational). See the log command for more information.

The permit keyword permits access if the conditions are matched.

The time_range name option specifies a keyword for attaching the time-range option to this access list element.

The url keyword specifies that a URL be used for filtering.

The url_string option specifies the URL to be filtered.

You can use the following wildcard characters to define more than one wildcard in the Webtype access list entry:

  • Enter an asterisk “*” to match no characters or any number of characters.
  • Enter a question mark “?” to match any one character exactly.
  • Enter square brackets “[]” to create a range operator that matches any one character in a range.
note.gif

Noteblank.gif To match any http URL, you must enter http://*/* instead of the former method of entering http://*.


To remove an access list, use the no form of this command with the complete syntax string as it appears in the configuration.

Adding Webtype Access Lists with an IP Address

To add an access list to the configuration that supports filtering for clientless SSL VPN, enter the following command:

 

Command
Purpose
access-list access_list_name webtype { deny | permit } tcp [ host ip_address | ip_address subnet_mask | any ] [ oper port [ port ]] [ log [[ disable | default ] | level ] interval secs ][ time_range name ]]
 

hostname(config)# access-list acl_company webtype permit tcp any

Adds an access list to the configuration that supports filtering for WebVPN.

The access_list_name argument specifies the name or number of an access list.

The any keyword specifies all IP addresses.

The deny keyword denies access if the conditions are matched.

The host ip_address option specifies a host IP address.

The interval option specifies the time interval at which to generate system log message 106100; valid values are from 1 to 600 seconds.

The ip_address ip_mask option specifies a specific IP address and subnet mask.

The log [[ disable | default ]| level ] option specifies that system log message 106100 is generated for the ACE. When the log optional keyword is specified, the default level for system log message 106100 is 6 (informational). See the log command for more information.

The permit keyword permits access if the conditions are matched.

The port option specifies the decimal number or name of a TCP or UDP port.

The time_range name option specifies a keyword for attaching the time-range option to this access list element.

To remove an access list, use the no form of this command with the complete syntax string as it appears in the configuration.

Adding Remarks to Access Lists

You can include remarks about entries in any access list, including extended, EtherType, IPv6, standard, and Webtype access lists. The remarks make the access list easier to understand.

To add a remark after the last access-list command you entered, enter the following command:

 

Command
Purpose
access-list access_list_name remark text
 
hostname(config)# access-list OUT remark - this is the inside admin address
 

 

Adds a remark after the last access-list command you entered.

The text can be up to 100 characters in length. You can enter leading spaces at the beginning of the text. Trailing spaces are ignored.

If you enter the remark before any access-list command, then the remark is the first line in the access list.

If you delete an access list using the no access-list access_list_name command, then all the remarks are also removed.

Example

You can add a remark before each ACE, and the remarks appear in the access list in these locations. Entering a dash (-) at the beginning of a remark helps set it apart from an ACE.

hostname(config)# access-list OUT remark - this is the inside admin address
hostname(config)# access-list OUT extended permit ip host 209.168.200.3 any
hostname(config)# access-list OUT remark - this is the hr admin address
hostname(config)# access-list OUT extended permit ip host 209.168.200.4 any
 

What to Do Next

Apply the access list to an interface. See the “Configuring Access Rules” section for more information.

Monitoring Webtype Access Lists

To monitor webtype access lists, enter the following command:

 

Command
Purpose
show running-config access list

Displays the access-list configuration running on the ASA.

Configuration Examples for Webtype Access Lists

The following example shows how to deny access to a specific company URL:

hostname(config)# access-list acl_company webtype deny url http://*.example.com
 

The following example shows how to deny access to a specific file:

hostname(config)# access-list acl_file webtype deny url https://www.example.com/dir/file.html
 

The following example shows how to deny HTTP access to any URL through port 8080:

hostname(config)# access-list acl_company webtype deny url http://my-server:8080/*
 

The following examples show how to use wildcards in Webtype access lists.

  • The following example matches URLs such as http://www.example.com/layouts/1033:
access-list VPN-Group webtype permit url http://www. example.com/*
 
  • The following example matches URLs such as http://www.example.com/ and http://www.example.net/:
access-list test webtype permit url http://www.**ample.com/
 
  • The following example matches URLs such as http://www.cisco.com and ftp://wwz.example.com:
access-list test webtype permit url *://ww?.c*co*/
 
  • The following example matches URLs such as http://www.cisco.com:80 and https://www.cisco.com:81:
access-list test webtype permit url *://ww?.c*co*:8[01]/
 

The range operator “[]” in the preceding example specifies that either character 0 or 1 can occur.

  • The following example matches URLs such as http://www.example.com and http://www.example.net:
access-list test webtype permit url http://www.[a-z]ample?*/
 

The range operator “[]” in the preceding example specifies that any character in the range from a to z can occur.

  • The following example matches URLs such as http://www.cisco.com/anything/crazy/url/ddtscgiz:
access-list test webtype permit url htt*://*/*cgi?*
 
note.gif

Noteblank.gif To match any http URL, you must enter http://*/* instead of the former method of entering http://*.


The following example shows how to enforce a webtype access list to disable access to specific CIFS shares.

In this scenario we have a root folder named “shares” that contains two sub-folders named “Marketing_Reports” and “Sales_Reports.” We want to specifically deny access to the “shares/Marketing_Reports” folder.

access-list CIFS_Avoid webtype deny url cifs://172.16.10.40/shares/Marketing_Reports.
 

However, due to the implicit “deny all,” the above access list makes all of the sub-folders inaccessible (“shares/Sales_Reports” and “shares/Marketing_Reports”), including the root folder (“shares”).

To fix the problem, add a new access list to allow access to the root folder and the remaining sub-folders:

access-list CIFS_Allow webtype permit url cifs://172.16.10.40/shares*
 

Feature History for Webtype Access Lists

Table 18-2 lists each feature change and the platform release in which it was implemented.

 

Table 18-2 Feature History for Webtype Access Lists

Feature Name
Releases
Feature Information

Webtype access lists

7.0(1)

Webtype access lists are access lists that are added to a configuration that supports filtering for clientless SSL VPN.

We introduced the feature and the following command: access-list webtype.