- About This Guide
- Index
- Glossary
-
- Configuring IPSec and ISAKMP
- Configuring L2TP over IPSec
- Setting General VPN Parameters
- Configuring Tunnel Groups, Group Policies, and Users
- Configuring IP Addresses for VPN
- Configuring Remote Access VPNs
- Configuring Network Admission Control
- Configuring Easy VPN on the ASA 5505
- Configuring the PPPoE Client
- Configuring LAN-to-LAN VPNs
- Configuring Clientless SSL VPN
- Configuring AnyConnect VPN Client Connections
- Configuring AnyConnect Host Scan
Adding a Webtype Access List
Webtype access lists are added to a configuration that supports filtering for clientless SSL VPN. This chapter describes how to add an access list to the configuration that supports filtering for WebVPN.
Licensing Requirements for Webtype Access Lists
The following table shows the licensing requirements for this feature:
|
|
---|---|
Guidelines and Limitations
This section includes the guidelines and limitations for this feature:
Supported in single and multiple context mode.
Supported in routed and transparent firewall mode.
Additional Guidelines and Limitations
The following guidelines and limitations apply to Webtype access lists:
- There are two types of webtype ACLs; URL based ACLs and TCP based ACLs. URL based ACLs are used to allow or deny URLs with the format -protocol://ip-address/path, these ACLs are for filtering based on clientless features. TCP based ACLs are used to allow or deny ip-address and port.
- Permitting one type of an ACL creates an implicit deny for the other type of ACL.
- The access-list webtype command is used to configure clientless SSL VPN filtering. The URL specified may be full or partial (no file specified), may include wildcards for the server, or may specify a port. See the “Adding Webtype Access Lists with a URL String” section for information about using wildcard characters in the URL string.
- Valid protocol identifiers are http, https, cifs, imap4, pop3, and smtp. The RL may also contain the keyword any to refer to any URL. An asterisk may be used to refer to a subcomponent of a DNS name.
- Smart tunnel and ica plug-ins are not affected by an ACL with ‘permit url any’ because they match smart-tunnel:// and ica:// types.
- ‘Permit url any' will allow all the urls that have format protocol://server-ip/path and will block traffic that does not match any of the protocol://address/path such as port-forwarding; the ASA admin should explicitly set an ACE to allow connection to the required port (port 1494 in case of citrix) so that an implicit deny does not occur.
Default Settings
Table 18-1 lists the default settings for Webtype access lists parameters.
Using Webtype Access Lists
This section includes the following topics:
- Task Flow for Configuring Webtype Access Lists
- Adding Webtype Access Lists with a URL String
- Adding Webtype Access Lists with an IP Address
- Adding Remarks to Access Lists
Task Flow for Configuring Webtype Access Lists
Use the following guidelines to create and implement an access list:
- Create an access list by adding an ACE and applying an access list name. See the “Using Webtype Access Lists” section.
- Apply the access list to an interface. See the “Configuring Access Rules” section for more information.
Adding Webtype Access Lists with a URL String
To add an access list to the configuration that supports filtering for clientless SSL VPN, enter the following command:
Adding Webtype Access Lists with an IP Address
To add an access list to the configuration that supports filtering for clientless SSL VPN, enter the following command:
Adding Remarks to Access Lists
You can include remarks about entries in any access list, including extended, EtherType, IPv6, standard, and Webtype access lists. The remarks make the access list easier to understand.
To add a remark after the last access-list command you entered, enter the following command:
Example
You can add a remark before each ACE, and the remarks appear in the access list in these locations. Entering a dash (-) at the beginning of a remark helps set it apart from an ACE.
What to Do Next
Apply the access list to an interface. See the “Configuring Access Rules” section for more information.
Monitoring Webtype Access Lists
To monitor webtype access lists, enter the following command:
|
|
---|---|
|
Configuration Examples for Webtype Access Lists
The following example shows how to deny access to a specific company URL:
The following example shows how to deny access to a specific file:
The following example shows how to deny HTTP access to any URL through port 8080:
The following examples show how to use wildcards in Webtype access lists.
The range operator “[]” in the preceding example specifies that either character 0 or 1 can occur.
The range operator “[]” in the preceding example specifies that any character in the range from a to z can occur.
Note To match any http URL, you must enter http://*/* instead of the former method of entering http://*.
The following example shows how to enforce a webtype access list to disable access to specific CIFS shares.
In this scenario we have a root folder named “shares” that contains two sub-folders named “Marketing_Reports” and “Sales_Reports.” We want to specifically deny access to the “shares/Marketing_Reports” folder.
However, due to the implicit “deny all,” the above access list makes all of the sub-folders inaccessible (“shares/Sales_Reports” and “shares/Marketing_Reports”), including the root folder (“shares”).
To fix the problem, add a new access list to allow access to the root folder and the remaining sub-folders:
Feature History for Webtype Access Lists
Table 18-2 lists each feature change and the platform release in which it was implemented.