Cisco FirePOWER ASA 5500 series

Cisco FirePOWER ASA 5500 series

989 pages

To Next Page

To Next Page

To Previous Page

To Previous Page

Loading...

E-14

Cisco Security Appliance Command Line Configuration Guide

OL-10088-01

Appendix E Configuring an External Server for Authorization and Authentication

Configuring an External LDAP Server

Cisco -AV-Pair Attribute Syntax

The syntax of each Cisco-AV-Pair rule is as follows:

[Prefix] [Action] [Protocol] [Source] [Source Wildcard Mask] [Destination] [Destination Wildcard

Mask] [Established] [Log] [Operator] [Port]:

For example:

ip:inacl#1=deny ip 10.155.10.0 0.0.0.255 10.159.2.0 0.0.0.255 log

ip:inacl#2=permit TCP any host 10.160.0.1 eq 80 log

webvpn:inacl#1=permit url http://www.cnn.com

webvpn:inacl#2=deny smtp any host 10.1.3.5

webvpn:inacl#3=permit url cifs://mar_server/peopleshare1

1. To get the complete Object Identifier of each attribute, append the number in the column to the end of 1.2.840.113556.8000.795.2. Thus, the OID of the

first attribute in the table, cVPN3000-Access-Hours, is 1.2.840.113556.8000.795.2.1. Likewise, the OID of the last attribute in the table,

cVPN3000-WebVPN-SVC-Compression, is 1.2.840.113556.8000.795.2.115.

Field Description

Prefix A unique identifier for the AV pair. For example:

ip:inacl#1= (used for

standard ACLs) or

webvpn:inacl# (used for WebVPN ACLs). This field

only appears when the filter has been sent as an AV pair.

Action Action to perform if rule matches: deny, permit.

Protocol Number or name of an IP protocol. Either an integer in the range 0-255 or

one of the following keywords: icmp, igmp, ip, tcp, udp.

Source Network or host that sends the packet. It is specified as an IP address, a

hostname, or the keyword “any”. If specified as an IP address, the source

wildcard mask must follow.

Source Wildcard Mask The wildcard mask applied to the source address.

Destination Network or host that receives the packet. It is specified as an IP address, a

hostname, or the keyword “any”. If specified as an IP address, the source

wildcard mask must follow.

Destination Wildcard

Mask

The wildcard mask applied to the destination address.

Log Generates a FILTER log message. You must use this keyword to generate

events of severity level 9.

Operator Logic operators: greater than, less than, equal to, not equal to.

Port The number of a TCP or UDP port in the range 0-65535.

Table of Contents

Related product manuals

Preview: Cisco Firepower 2120

Cisco Firepower 2120

Preview: Cisco Firepower 4110

Cisco Firepower 4110

Preview: Cisco Firepower 1100

Cisco Firepower 1100

Preview: Cisco Firepower 1010

Cisco Firepower 1010

Preview: Cisco Firepower 2130

Cisco Firepower 2130

Preview: Cisco Firepower 4100

Cisco Firepower 4100

Cisco Firepower 2110

Cisco Firepower 2140

Preview: Cisco Firepower 4100 Series

Cisco Firepower 4100 Series

Preview: Cisco Firepower 2100 Series

Cisco Firepower 2100 Series

Preview: Cisco Firepower 1100 Series

Cisco Firepower 1100 Series

Preview: Cisco Firepower 1000 Series

Cisco Firepower 1000 Series