Support User Manuals

Cisco Systems OL-16647-01 Network Router User Manual

Open as PDF

of 1230

C-13

Cisco ASDM User Guide

OL-16647-01

Appendix C Configuring an External Server for Authorization and Authentication

Configuring an External LDAP Server

For example:

ip:inacl#1=deny ip 10.155.10.0 0.0.0.255 10.159.2.0 0.0.0.255 log

ip:inacl#2=permit TCP any host 10.160.0.1 eq 80 log

webvpn:inacl#1=permit url http://www.website.com

webvpn:inacl#2=deny smtp any host 10.1.3.5

webvpn:inacl#3=permit url cifs://mar_server/peopleshare1

Note Use Cisco-AV pair entries with the ip:inacl# prefix to enforce access lists for remote IPSec and SSL VPN

Client (SVC) tunnels.

Use Cisco-AV pair entries with the webvpn:inacl# prefix to enforce access lists for SSL VPN clientless

(browser-mode) tunnels.

Table C-4 lists the tokens for the Cisco-AV-pair attribute:

Protocol Number or name of an IP protocol. Either an integer in the range 0 - 255 or

one of the following keywords: icmp, igmp, ip, tcp, udp.

Source Network or host that sends the packet. Specify it as an IP address, a

hostname, or the keyword “any.” If using an IP address, the source wildcard

mask must follow.

Source Wildcard Mask The wildcard mask that applies to the source address.

Destination Network or host that receives the packet. Specify as an IP address, a

hostname, or the keyword “any.” If using an IP address, the source wildcard

mask must follow.

Destination Wildcard

Mask

The wildcard mask that applies to the destination address.

Log Generates a FILTER log message. You must use this keyword to generate

events of severity level 9.

Operator Logic operators: greater than, less than, equal to, not equal to.

Port The number of a TCP or UDP port in the range 0 - 65535.

Table C-3 AV-Pair Attribute Syntax Rules

Field Description

Table C-4 Security Appliance-Supported Tokens

Token Syntax Field Description

ip:inacl#Num= N/A (Identifier) (Where Num is a unique integer.) Starts all AV pair access control lists. Enforces

access lists for remote IPSec and SSL VPN (SVC) tunnels.

webvpn:inacl#Num= N/A (Identifier) (Where Num is a unique integer.) Starts all clientless SSL AV pair access control

lists. Enforces access lists for clientless (browser-mode) tunnels.

deny Action Denies action. (Default)

permit Action Allows action.

icmp Protocol Internet Control Message Protocol (ICMP)

1 Protocol Internet Control Message Protocol (ICMP)

previous next