B-15
Cisco ASA 5500 Series Configuration Guide using ASDM
OL-20339-01
Appendix B Configuring an External Server for Authorization and Authentication
Configuring an External LDAP Server
Cisco AV Pairs ACL Examples
Table B-4 shows examples of Cisco AV pairs and describes the allow or deny actions that result.
Note Each ACL # in inacl# must be unique. However, they do not need to be sequential (i.e. 1, 2, 3, 4). For
example, they could be 5, 45, 135.
Table B-4 Examples of Cisco AV Pairs and their Permitting or Denying Action
URL Types supported in ACLs
The URL may be a partial URL, contain wildcards for the server, or contain a port.
The following URL types are supported:
Note The URLs listed above appear in CLI or ASDM menus based on whether the associated plugin
is enabled.
Guidelines for using Cisco-AV Pairs (ACLs)
• Use Cisco-AV pair entries with the ip:inacl# prefix to enforce access lists for remote IPSec and SSL
VPN Client (SVC) tunnels.
• Use Cisco-AV pair entries with the webvpn:inacl# prefix to enforce access lists for SSL VPN
clientless (browser-mode) tunnels.
• For Webtype ACLs, you don’t specify the source because the adaptive security appliance is the
source.
Cisco AV Pair Example Permitting or Denying Action
ip:inacl#1=deny ip 10.155.10.0 0.0.0.255 10.159.2.0
0.0.0.255 log
Allows IP traffic between the two hosts using full tunnel
IPsec or SSL VPN client.
ip:inacl#2=permit TCP any host 10.160.0.1 eq 80 log
Allows TCP traffic from all hosts to the specific host on port
80 only using full tunnel IPsec or SSL VPN client.
webvpn:inacl#1=permit url http://www.website.com
webvpn:inacl#2=deny url smtp://server
webvpn:inacl#3=permit url cifs://server/share
Allows clientless traffic to the URL specified, denies smtp
traffic to a specific server, and allows file share access (CIFS)
to the specified server.
webvpn:inacl#1=permit tcp 10.86.1.2 eq 2222 log
webvpn:inacl#2=deny tcp 10.86.1.2 eq 2323 log
Denies telnet and permits SSH on non-default ports 2323 and
2222, respectively.
webvpn:inacl#1=permit url ssh://10.86.1.2
webvpn:inacl#35=permit tcp 10.86.1.5 eq 22 log
webvpn:inacl#48=deny url telnet://10.86.1.2
webvpn:inacl#100=deny tcp 10.86.1.6 eq 23
Allows SSH to default port 22 and 23, respectively. For this
example, we assume you are using telnet/ssh java plugins
enforced by these ACLs.
any All URLs http:// nfs:// sametime:// telnet://
cifs:// https:// pop3:// smart-tunnel:// tn3270://
citrix:// ica:// post:// smtp:// tn5250://
citrixs:// imap4:// rdp:// ssh:// vnc://
ftp://
To Next Page
Loading...
Need help?
General
