Filter
Top Products
38-2
Cisco ASDM User Guide
OL-16647-01
Chapter 38 Clientless SSL VPN
Security Precautions
• Educate users. If an SSL-enabled site is not inside the private network, users should not visit this
site over a Clientless SSL VPN connection. They should open a separate browser window to visit
such sites, and use that browser to view the presented certificate.
ACLs
You can configure ACLs (Access Control Lists) to apply to user sessions. These are filters that permit
or deny user access to specific networks, subnets, hosts, and web servers.
• If you do not define any filters, all connections are permitted.
• The security appliance supports only an inbound ACL on an interface.
• At the end of each ACL, there is an implicit, unwritten rule that denies all traffic that is not
permitted. If traffic is not explicitly permitted by an access control entry (ACE), the security
appliance denies it. ACEs are referred to as rules in this topic.
This pane lets you add and edit ACLs to be used for Clientless SSL VPN sessions, and the ACL entries
each ACL contains. It also displays summary information about ACLs and ACEs, and lets you enable or
disable them, and change their priority order.
Fields
• Add ACL—Click to add an ACL or ACE. To insert a new ACE before or after an existing ACE, click
Insert or Insert After.
• Edit—Click to edit the highlighted ACE. When you delete an ACL, you also delete all of its ACEs.
No warning or undelete.
• Delete—Click to delete the highlighted ACL or ACE. When you delete an ACL, you also delete all
of its ACEs. No warning or undelete.
• Move UP/Move Down—Highlight an ACL or ACE and click these buttons to change the order of
ACLs and ACEs. The security appliance checks ACLs to be applied to Clientless SSL VPN sessions
and their ACEs in the sequence determined by their position in the ACLs list box until it finds a
match.
• +/-—Click to expand (+) or collapse (-) to view or hide the list of ACEs under each ACL.
• No—Displays the priority of the ACEs under each ACL. The order in the list determines priority.
• Enabled—Shows whether the ACE is enabled. When you create an ACE, by default it is enabled.
Clear the check box to disable an ACE.
• Address—Displays the IP address or URL of the application or service to which the ACE applies.
• Service—Displays the TCP service to which the ACE applies.
• Action—Displays whether the ACE permits or denies Clientless SSL VPN access.
• Time—Displays the time range associated with the ACE.
• Logging (Interval)—Displays the configured logging behavior, either disabled or with a specified
level and time interval.
Modes
The following table shows the modes in which this feature is available: