EasyManuals Logo

Cisco 5510 - ASA SSL / IPsec VPN Edition User Manual

Cisco 5510 - ASA SSL / IPsec VPN Edition
2164 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Page #2138 background imageLoading...
Page #2138 background image
1-14
Cisco ASA Series CLI Configuration Guide
Appendix 1 Configuring an External Server for Authorization and Authentication
Configuring an External LDAP Server
URL Types Supported in ACLs
The URL may be a partial URL, contain wildcards for the server, or include a port.
The following URL types are supported.
Note The URLs listed in this table appear in CLI or ASDM menus based on whether or not the
associated plug-in is enabled.
Guidelines for Using Cisco-AV Pairs (ACLs)
• Use Cisco-AV pair entries with the ip:inacl# prefix to enforce access lists for remote IPsec and SSL
VPN Client (SVC) tunnels.
• Use Cisco-AV pair entries with the webvpn:inacl# prefix to enforce access lists for SSL VPN
clientless (browser-mode) tunnels.
• For webtype ACLs, you do not specify the source because the ASA is the source.
Table 1-4 Examples of Cisco AV Pairs and Their Permitting or Denying Action
Cisco AV Pair Example Permitting or Denying Action
ip:inacl#1=deny ip 10.155.10.0 0.0.0.255
10.159.2.0 0.0.0.255 log
Allows IP traffic between the two hosts using a full
tunnel IPsec or SSL VPN client.
ip:inacl#2=permit TCP any host
10.160.0.1 eq 80 log
Allows TCP traffic from all hosts to the specific host
on port 80 only using a full tunnel IPsec or SSL VPN
client.
webvpn:inacl#1=permit url
http://www.example.com
webvpn:inacl#2=deny url smtp://server
webvpn:inacl#3=permit url
cifs://server/share
Allows clientlessSSL VPN traffic to the URL
specified, denies SMTP traffic to a specific server,
and allows file share access (CIFS) to the specified
server.
webvpn:inacl#1=permit tcp 10.86.1.2 eq
2222 log
webvpn:inacl#2=deny tcp 10.86.1.2 eq
2323 log
Denies Telnet access and permits SSH access on
non-default ports 2323 and 2222, respectively, or
other application traffic flows using these ports for
clientless SSL VPN.
webvpn:inacl#1=permit url
ssh://10.86.1.2
webvpn:inacl#35=permit tcp 10.86.1.5 eq
22 log
webvpn:inacl#48=deny url
telnet://10.86.1.2
webvpn:inacl#100=deny tcp 10.86.1.6 eq
23
Allows clientless SSL VPN SSH access to default
port 22 and denies Telnet access to port 23,
respectively. This example assumes that you are using
Telnet or SSH Java plug-ins enforced by these ACLs.
any All URLs https:// post:// ssh://
cifs:// ica:// rdp:// telnet://
citrix:// imap4:// rdp2:// vnc://
citrixs:// ftp:// smart-tunnel://
http:// pop3:// smtp://

Table of Contents

Other manuals for Cisco 5510 - ASA SSL / IPsec VPN Edition

Preview: Configuration Guide
Configuration Guide1822 pages
Preview: Hardware Installation Guide
Hardware Installation Guide82 pages
Preview: Getting Started Guide
Getting Started Guide208 pages

Questions and Answers:

Question and Answer IconNeed help?

Do you have a question about the Cisco 5510 - ASA SSL / IPsec VPN Edition and is the answer not in the manual?

Cisco 5510 - ASA SSL / IPsec VPN Edition Specifications

General IconGeneral
BrandCisco
Model5510 - ASA SSL / IPsec VPN Edition
CategoryFirewall
LanguageEnglish

Related product manuals