3-17
Cisco ASA Series Firewall CLI Configuration Guide
 
Chapter 3      Access Control Lists
  Configure ACLs
• The following example matches URLs such as http://www.example.com and 
ftp://wwz.example.com:
access-list test webtype permit url *://ww?.e*co*/ 
• The following example matches URLs such as http://www.cisco.com:80 and 
https://www.cisco.com:81:
access-list test webtype permit url *://ww?.c*co*:8[01]/ 
The range operator “[]” in the preceding example specifies that either character 0 or 1 can occur at 
that location.
• The following example matches URLs such as http://www.example.com and 
http://www.example.net:
access-list test webtype permit url http://www.[a-z]xample?*/ 
The range operator “[]” in the preceding example specifies that any character in the range from a to 
z can occur.
• The following example matches http or https URLs that include “cgi” somewhere in the file name 
or path.
access-list test webtype permit url htt*://*/*cgi?* 
Note To match any http URL, you must enter http://*/* instead of http://*.
The following example shows how to enforce a webtype ACL to disable access to specific CIFS shares. 
In this scenario we have a root folder named “shares” that contains two sub-folders named 
“Marketing_Reports” and “Sales_Reports.” We want to specifically deny access to the 
“shares/Marketing_Reports” folder. 
access-list CIFS_Avoid webtype deny url cifs://172.16.10.40/shares/Marketing_Reports.
However, due to the implicit “deny all” at the end of the ACL, the above ACL makes all of the 
sub-folders inaccessible (“shares/Sales_Reports” and “shares/Marketing_Reports”), including the root 
folder (“shares”). 
To fix the problem, add a new ACL to allow access to the root folder and the remaining sub-folders: 
access-list CIFS_Allow webtype permit url cifs://172.16.10.40/shares*
Configure EtherType ACLs
EtherType ACLs apply to non-IP layer-2 traffic in transparent firewall mode. You can use these rules to 
permit or drop traffic based on the EtherType value in the layer-2 packet. With EtherType ACLs, you can 
control the flow of non-IP traffic across the ASA. Note that 802.3-formatted frames are not handled by 
the ACL because they use a length field as opposed to a type field.
To add an EtherType ACE, use the following command:
access-list access_list_name ethertype {deny | permit} 
{ipx | bpdu | mpls-unicast | mpls-multicast | isis | any | hex_number}
Example: 
hostname(config)# access-list ETHER ethertype deny ipx