72-9
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter 72 Configuring Clientless SSL VPN
Configuring Clientless SSL VPN Access
• Click + to expand or - to collapse the list of ACEs under each ACL. The priority of the ACEs under
each ACL is displayed. The order in the list determines priority.
• (Optional) Click Find to search for a web ACL. Start typing in the field, and the tool searches the
beginning characters of every field for a match. You can use wild cards to expand your search. For
example, typing sal in the Find field matches a web ACL named sales but not a customization object
named wholesalers. If you type *sal in the Find field, the search finds the first instance of either
sales or wholesalers in the table.
Use the up and down arrows to skip up or down to the next string match. Check the Match Case
checkbox to make your search case sensitive.
• (Optional) Highlight a web ACL and click Assign to assign the selected web ACL to one or more
VPN group policies, dynamic access policies, or user policies.
• When you create an ACE, by default it is enabled. Clear the check box to disable an ACE.
The IP address or URL of the application or service to which the ACE applies is displayed. The TCP
service to which the ACE applies is also displayed. The Action field displays whether the ACE permits
or denies clientless SSL VPN access. The time range associated with the ACE and the logging behavior
(either disabled or with a specified level and time interval) is also displayed.
Adding or Editing ACEs
An Access Control Entry (or “access rule”) permits or denies access to specific URLs and services. You
can configure multiple ACEs for an ACL. ACLs apply ACEs in priority order, acting on the first match.
Detailed Steps
Step 1 Permit or deny access to specific networks, subnets, hosts, and web servers specified in the Filter group
field.
Step 2 Specify a URL or an IP address to which you want to apply the filter (permit or deny user access):
• URL—Applies the filter to the specified URL.
• Protocols (unlabeled)—Specifies the protocol part of the URL address.
• ://x—Specifies the URL of the Web page to which to apply the filter.
• TCP—Applies the filter to the specified IP address, subnet, and port.
• IP Address—Specifies the IP address to which to apply the filter.
• Netmask—Lists the standard subnet mask to apply to the address in the IP Address field.
• Service—Identifies the service (such as https, kerberos, or any) to be matched. Displays a list of
services from which you can select the service to display in the Service field.
• Boolean operator (unlabeled)—Lists the boolean conditions (equal, not equal, greater than, less
than, or range) to use in matching the service specified in the service field.
Step 3 The Rule Flow Diagram graphically depicts the traffic flow using the filter. This area may be hidden.
Step 4 Specify the logging rules. The default is Default Syslog.
• Logging—Choose enable if you want to enable a specific logging level.
• Syslog Level—Grayed out until you select Enable for the Logging attribute. Lets you select the type
of syslog messages you want the ASA to display.
• Log Interval—Lets you select the number of seconds between log messages.