3-15
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 3 Access Control Lists
Configure ACLs
–
Smart tunnel and ica plug-ins are not affected by an ACL with ‘permit url any’ because they
match smart-tunnel:// and ica:// types only.
–
You can use these protocols: cifs://, citrix://, citrixs://, ftp://, http://, https://, imap4://, nfs://,
pop3://, smart-tunnel://, and smtp://. You can also use wildcards in the protocol; for example,
htt* matches http and https, and an asterisk * matches all protocols. For example,
*://*.example.com matches any type URL-based traffic to the example.com network.
–
If you specify a smart-tunnel:// URL, you can include the server name only. The URL cannot
contain a path. For example, smart-tunnel://www.example.com is acceptable, but
smart-tunnel://www.example.com/index.html is not.
–
An asterisk * matches none or any number of characters. To match any http URL, enter
http://*/*.
–
A question mark ? matches any one character exactly.
–
Square brackets [] are range operators, matching any character in the range. For example, to
match both http://www.cisco.com:80/ and http://www.cisco.com:81/, enter
http://www.cisco.com:8[01]/
.
•
Logging—
log
arguments set logging options when an ACE matches a packet. If you enter the
log
option without any arguments, you enable syslog message 106102 at the default level (6) and for the
default interval (300 seconds). Log options are:
–
level
—A severity level between 0 and 7. The default is 6.
–
interval
secs
—The time interval in seconds between syslog messages, from 1 to 600. The
default is 300.
–
disable
—Disables all ACL logging.
–
default
—Enables logging to message 106103. This setting is the same as not including the
log
option.
•
Time Range—The
time-range
time_range_name
option specifies a time range object, which
determines the times of day and days of the week in which the ACE is active. If you do not include
a time range, the ACE is always active.
•
Activation—Use the
inactive
option to disable the ACE without deleting it. To reenable it, enter the
entire ACE without the inactive keyword.
Adding a Webtype ACE for IP Address Matching
You can match traffic based on the destination address the user is trying to access. The webtype ACL
can include a mix of IPv4 and IPv6 addresses in addition to URL specifications.
To add a webtype ACE for IP address matching, use the following command:
access-list
access_list_name
webtype
{
deny
|
permit
}
tcp
dest_address_argument
[
operator port
]
[
log
[[
level
] [
interval
secs
] |
disable
|
default
]]
[
time_range
time_range_name
]]
[
inactive
]]
Example:
hostname(config)#
access-list acl_company webtype permit tcp any
Summary of Contents for ASA 5508-X
Page 11: ...P A R T 1 Access Control ...
Page 12: ......
Page 157: ...P A R T 2 Network Address Translation ...
Page 158: ......
Page 233: ...P A R T 3 Service Policies and Application Inspection ...
Page 234: ......
Page 379: ...P A R T 4 Connection Management and Threat Detection ...
Page 380: ......