Adding a Webtype ACL and ACE
You must first create the webtype ACL and then add an ACE to the ACL.
Note Smart tunnel ACEs filter on a per-server basis only, so you cannot create smart tunnel ACEs to permit or deny access to directories or to permit or deny access to specific smart tunnel-enabled applications.
To configure a webtype ACL, perform the following steps:
Step 1
Choose
Configuration > Remote Access VPN > Clientless SSL VPN Access > Advanced > Web ACLs .
Step 2 Click Add , and choose one of the following ACL types to add:
The Add ACL dialog box appears.
Step 3 Enter a name for the ACL (with no spaces), and click OK .
Step 4 To add an entry to the list that you just created, click Add , and choose Add ACE from the drop-down list.
Step 5 In the Action field, click the radio button next to the desired action:
- Permit—Permits access if the conditions are matched.
- Deny—Denies access if the conditions are matched.
Note The end of every ACL has an implicit deny rule.
Step 6 In the filter field, you can either filter on a URL or filter on an address and Service.
a. To filter on a URL, choose the URL prefix from the drop-down list, and enter the URL>
Wildcard characters can be used in the URL field:
– An asterisk * matches none or any number of characters.
– A question mark ? matches any one character exactly.
– Square brackets [] are range operators, matching any character in the range. For example, to match both http://www.cisco.com:80/ and http://www.cisco.com:81/, enter the following:
http://www.cisco.com:8[01]/
b. To filter on an address and service, click the Filter address and service radio button, and enter the appropriate values.
Wildcard characters can be used in the with regular expression in the address field:
– An asterisk * matches none or any number of characters.
– A question mark ? matches any one character exactly.
– Square brackets [] are range operators, matching any character in the range. For example to permit a range of IP addresses from 10.2.2.20 through 10.2.2.31, enter the following:
10.2.2.[20-31]
You can also browse for the address and service by clicking the browse buttons at the end of the fields.
Step 7 (Optional) Logging is enabled by default. You can disable logging by unchecking the check box, or you can change the logging level from the drop-down list. The default logging level is Informational.
For more information about logging options, see the Log Options section on page 21-29.
Step 8 (Optional) If you changed the logging level from the default setting, you can specify the logging interval by clicking More Options to expand the list.
Valid values are from 1 through 6000 seconds. The default is 300 seconds.
Step 9 (Optional) To add a time range to your access rule that specifies when traffic can be allowed or denied, click More Options to expand the list.
a. To the right of the Time Range drop-down list, click the browse button.
b. The Browse Time Range dialog box appears.
c. Click Add .
d. The Add Time Range dialog box appears.
e. In the Time Range Name field, enter a time range name, with no spaces.
f. Enter the Start Time and the End Time.
g. To specify additional time constraints for the time range, such as specifying the days of the week or the recurring weekly interval in which the time range will be active, click Add , and specify the desired values.
Step 10 Click OK to apply the optional time range specifications.
Step 11 Click Apply to save the configuration.
Note After you add ACLs, you can click the following radio buttons to filter which ACLs appear in the main pane: IPv4 andIPv6, IPv4 only, or IPv6 Only.