3-17
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 3 Access Control Lists
Configure ACLs
•
The following example matches URLs such as http://www.example.com and
ftp://wwz.example.com:
access-list test webtype permit url *://ww?.e*co*/
•
The following example matches URLs such as http://www.cisco.com:80 and
https://www.cisco.com:81:
access-list test webtype permit url *://ww?.c*co*:8[01]/
The range operator “[]” in the preceding example specifies that either character
0
or
1
can occur at
that location.
•
The following example matches URLs such as http://www.example.com and
http://www.example.net:
access-list test webtype permit url http://www.[a-z]xample?*/
The range operator “[]” in the preceding example specifies that any character in the range from
a
to
z
can occur.
•
The following example matches http or https URLs that include “cgi” somewhere in the file name
or path.
access-list test webtype permit url htt*://*/*cgi?*
Note
To match any http URL, you must enter
http://*/*
instead of http://*.
The following example shows how to enforce a webtype ACL to disable access to specific CIFS shares.
In this scenario we have a root folder named “shares” that contains two sub-folders named
“Marketing_Reports” and “Sales_Reports.” We want to specifically deny access to the
“shares/Marketing_Reports” folder.
access-list CIFS_Avoid webtype deny url cifs://172.16.10.40/shares/Marketing_Reports.
However, due to the implicit “deny all” at the end of the ACL, the above ACL makes all of the
sub-folders inaccessible (“shares/Sales_Reports” and “shares/Marketing_Reports”), including the root
folder (“shares”).
To fix the problem, add a new ACL to allow access to the root folder and the remaining sub-folders:
access-list CIFS_Allow webtype permit url cifs://172.16.10.40/shares*
Configure EtherType ACLs
EtherType ACLs apply to non-IP layer-2 traffic in transparent firewall mode. You can use these rules to
permit or drop traffic based on the EtherType value in the layer-2 packet. With EtherType ACLs, you can
control the flow of non-IP traffic across the ASA. Note that 802.3-formatted frames are not handled by
the ACL because they use a length field as opposed to a type field.
To add an EtherType ACE, use the following command:
access-list
access_list_name
ethertype
{
deny
|
permit
}
{
ipx
|
bpdu
|
mpls-unicast
|
mpls-multicast
|
isis
|
any
|
hex_number
}
Example:
hostname(config)#
access-list ETHER ethertype deny ipx
Содержание ASA 5508-X
Страница 11: ...P A R T 1 Access Control ...
Страница 12: ......
Страница 60: ...4 14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 4 Access Rules History for Access Rules ...
Страница 157: ...P A R T 2 Network Address Translation ...
Страница 158: ......
Страница 204: ...9 46 Cisco ASA Series Firewall CLI Configuration Guide Chapter 9 Network Address Translation NAT History for NAT ...
Страница 232: ...10 28 Cisco ASA Series Firewall CLI Configuration Guide Chapter 10 NAT Examples and Reference DNS and NAT ...
Страница 233: ...P A R T 3 Service Policies and Application Inspection ...
Страница 234: ......
Страница 379: ...P A R T 4 Connection Management and Threat Detection ...
Страница 380: ......
Страница 400: ...16 20 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Connection Settings History for Connection Settings ...
Страница 414: ...17 14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 17 Quality of Service History for QoS ...