1-6
Cisco ASA Series CLI Configuration Guide
Chapter 1 Adding a Webtype Access Control List
Configuration Examples for Webtype Access Lists
The following example shows how to deny access to a specific file:
hostname(config)# access-list acl_file webtype deny url
https://www.example.com/dir/file.html
The following example shows how to deny HTTP access to any URL through port 8080:
hostname(config)# access-list acl_company webtype deny url http://my-server:8080/*
The following examples show how to use wildcards in Webtype access lists.
• The following example matches URLs such as http://www.example.com/layouts/1033:
access-list VPN-Group webtype permit url http://www. example.com/*
• The following example matches URLs such as http://www.example.com/ and
http://www.example.net/:
access-list test webtype permit url http://www.**ample.com/
• The following example matches URLs such as http://www.cisco.com and ftp://wwz.example.com:
access-list test webtype permit url *://ww?.c*co*/
• The following example matches URLs such as http://www.cisco.com:80 and
https://www.cisco.com:81:
access-list test webtype permit url *://ww?.c*co*:8[01]/
The range operator “[]” in the preceding example specifies that either character 0 or 1 can occur.
• The following example matches URLs such as http://www.example.com and
http://www.example.net:
access-list test webtype permit url http://www.[a-z]ample?*/
The range operator “[]” in the preceding example specifies that any character in the range from a to
z can occur.
• The following example matches URLs such as http://www.cisco.com/anything/crazy/url/ddtscgiz:
access-list test webtype permit url htt*://*/*cgi?*
Note To match any http URL, you must enter http://*/* instead of the former method of entering http://*.
The following example shows how to enforce a webtype access list to disable access to specific CIFS
shares.
In this scenario we have a root folder named “shares” that contains two sub-folders named
“Marketing_Reports” and “Sales_Reports.” We want to specifically deny access to the
“shares/Marketing_Reports” folder.
access-list CIFS_Avoid webtype deny url cifs://172.16.10.40/shares/Marketing_Reports.
However, due to the implicit “deny all,” the above access list makes all of the sub-folders inaccessible
(“shares/Sales_Reports” and “shares/Marketing_Reports”), including the root folder (“shares”).
To fix the problem, add a new access list to allow access to the root folder and the remaining sub-folders:
access-list CIFS_Allow webtype permit url cifs://172.16.10.40/shares*
To Next Page
Loading...
