Cisco Systems ASA 5510, ASA 5512-X, ASA 5515-X, ASA 5520, ASA 5525-X, ASA 5540, ASA 5545-X, ASA 5550, ASA 5555-X, ASA 5580, ASA 5585-X, ASA 5505 Configuring ACLs

72-8

Cisco ASA 5500 Series Configuration Guide using ASDM

Chapter72 Configuring Clientless SSL VPN

Configuring Clientless SSL VPN Access

Step6 Enter the percent of total memory or the amount of memory in kilobytes that you want to allocate to

clientless SSL VPN processes. The default is 50% of memory. Be aware that the different ASA models

have different total amounts of memory as follows: ASA 5510—256 MB; ASA5520 —512 MB: ASA

5540—1GB, ASA 5550—4G. When you change the memory size, the new setting takes effect only after

the system reboots.

Step7 In the WebVPN Memory field, choose to allocate memory for clientless SSL VPN either as a percentage

of total memory or as an amount of memory in kilobytes.

Step8 Click to include a drop-down list of configured tunnel groups on the clientless SSL VPN end-user

interface. Users select a tunnel group from this list when they log on. This field is checked by default. If

you uncheck it, the user cannot select a tunnel group at logon.

Note

Configuring ACLs

You can configure ACLs (access control lists) to apply to user sessions. These ACLs filter user access

to specific networks, subnets, hosts, and web servers. The Web ACLs table displays the filters configured

on the ASA application to the clientless SSL VPN traffic. The table shows the name of each access

control list (ACL), and below and indented to the right of the ACL name, the ACEs (access control

entries) assigned to the ACL.

Each ACL permits or denies access permits or denies access to specific networks, subnets, hosts, and

web servers. Each ACE specifies one rule that serves the function of the ACL.

Guidelines

If you do not define any filters, all connections are permitted.

Restrictions

•The ASA supports only an inbound ACL on an interface.

•At the end of each ACL, there is an implicit, unwritten rule that denies all traffic that is not

permitted. If traffic is not explicitly permitted by an ACE (access control entry), the ASA denies it.

ACEs are referred to as rules in this topic.

Detailed Steps

You can add and edit ACLs to be used for clientless SSL VPN sessions with the following functions:

•Click Add ACL to add an ACL or ACE. To insert a new ACE before or after an existing ACE, click

Insert or Insert After.

•Click Edit to highlight the ACE you want to change.

•Highlight the ACL or ACE you want to remove and click Delete. When you delete an ACL, you must

delete all of its ACEs. No warning or undelete.

•Use the Move Up and Move Down buttons to change the order of ACLs or ACEs. The ASA checks

ACLs to be applied to clientless SSL VPN sessions and their ACEs in the sequence determined by

their position in the ACLs list until it finds a match.

Cisco Systems Configuring ACLs