The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
Webtype ACLs are added to a configuration that supports filtering for clientless SSL VPN. This chapter describes how to add an ACLto the configuration that supports filtering for WebVPN.
|
|
---|---|
This section includes the guidelines and limitations for this feature:
Supported in single and multiple context mode.
Supported in routed and transparent firewall mode.
Additional Guidelines and Limitations
The following guidelines and limitations apply to Webtype ACLs:
Table 24-1 lists the default settings for Webtype ACLs parameters.
This section includes the following topics:
Use the following guidelines to create and implement an ACL:
You must first create the webtype ACL and then add an ACE to the ACL.
Note Smart tunnel ACEs filter on a per-server basis only, so you cannot create smart tunnel ACEs to permit or deny access to directories or to permit or deny access to specific smart tunnel-enabled applications.
To configure a webtype ACL, perform the following steps:
Step 1 Choose Configuration > Remote Access VPN > Clientless SSL VPN Access > Advanced > Web ACLs.
Step 2 Click Add, and choose one of the following ACL types to add:
The Add ACL dialog box appears.
Step 3 Enter a name for the ACL (with no spaces), and click OK.
Step 4 To add an entry to the list that you just created, click Add, and choose Add ACE from the drop-down list.
Step 5 In the Action field, click the radio button next to the desired action:
Note The end of every ACL has an implicit deny rule.
Step 6 In the filter field, you can either filter on a URL or filter on an address and Service.
a. To filter on a URL, choose the URL prefix from the drop-down list, and enter the URL>
Wildcard characters can be used in the URL field:
– An asterisk * matches none or any number of characters.
– A question mark ? matches any one character exactly.
– Square brackets [] are range operators, matching any character in the range. For example, to match both http://www.cisco.com:80/ and http://www.cisco.com:81/, enter the following:
http://www.cisco.com:8[01]/
b. To filter on an address and service, click the Filter address and service radio button, and enter the appropriate values.
Wildcard characters can be used in the with regular expression in the address field:
– An asterisk * matches none or any number of characters.
– A question mark ? matches any one character exactly.
– Square brackets [] are range operators, matching any character in the range. For example to permit a range of IP addresses from 10.2.2.20 through 10.2.2.31, enter the following:
10.2.2.[20-31]
You can also browse for the address and service by clicking the browse buttons at the end of the fields.
Step 7 (Optional) Logging is enabled by default. You can disable logging by unchecking the check box, or you can change the logging level from the drop-down list. The default logging level is Informational.
For more information about logging options, see the Log Options section on page 21-29.
Step 8 (Optional) If you changed the logging level from the default setting, you can specify the logging interval by clicking More Options to expand the list.
Valid values are from 1 through 6000 seconds. The default is 300 seconds.
Step 9 (Optional) To add a time range to your access rule that specifies when traffic can be allowed or denied, click More Options to expand the list.
a. To the right of the Time Range drop-down list, click the browse button.
b. The Browse Time Range dialog box appears.
d. The Add Time Range dialog box appears.
e. In the Time Range Name field, enter a time range name, with no spaces.
f. Enter the Start Time and the End Time.
g. To specify additional time constraints for the time range, such as specifying the days of the week or the recurring weekly interval in which the time range will be active, click Add, and specify the desired values.
Step 10 Click OK to apply the optional time range specifications.
Step 11 Click Apply to save the configuration.
Note After you add ACLs, you can click the following radio buttons to filter which ACLs appear in the main pane: IPv4 andIPv6, IPv4 only, or IPv6 Only.
To edit a webtype ACL or ACT, perform the following steps:
Step 1 Choose Configuration > Remote Access VPN > Clientless SSL VPN Access > Advanced > Web ACLs.
Step 2 Choose the ACL type to edit by clicking one of the following radio buttons:
The main Access Rule Pane displays the available interfaces for the chosen rule type.
Step 3 Select the ACE to edit, and make any changes to the values.
For more information about specific values, see Adding a Webtype ACL and ACE.
Step 5 Click Apply to save the changes to your configuration.
To delete a webtype ACE, perform the following steps:
Step 1 Choose Configuration > Remote Access VPN > Clientless SSL VPN Access > Advanced > Web ACLs.
Step 2 Choose the ACL type to edit by clicking one of the following radio buttons:
The main Access Rule Pane displays the available interfaces for the chosen rule type.
Step 3 Select the ACE to delete.
If you select a specific ACE, only that ACE is deleted. If you select an ACL, that ACL and all of the ACEs under it are deleted.
The selected items are removed from the viewing pane.
Note If you deleted an item in error and want to restore it to your configuration, click Reset before you click Apply. The deleted item reappears in the viewing pane.
Step 5 Click Apply to save the change to the configuration.
Table 24-2 lists the release history for this feature.