Cisco Systems ASA 5510, ASA 5512-X, ASA 5515-X, ASA 5520, ASA 5525-X, ASA 5540, ASA 5545-X, ASA 5550, ASA 5555-X, ASA 5580, ASA 5585-X, ASA 5505 Adding or Editing ACEs

72-9

Cisco ASA 5500 Series Configuration Guide using ASDM

Chapter72 Configuring Clientless SSL VPN

Configuring Clientless SSL VPN Access

•Click + to expand or - to collapse the list of ACEs under each ACL. The priority of the ACEs under

each ACL is displayed. The order in the list determines priority.

•(Optional) Click Find to search for a web ACL. Start typing in the field, and the tool searches the

beginning characters of every field for a match. You can use wild cards to expand your search. For

example, typing sal in the Find field matches a web ACL named sales but not a customization object

named wholesalers. If you type *sal in the Find field, the search finds the first instance of either

sales or wholesalers in the table.

Use the up and down arrows to skip up or down to the next string match. Check the Match Case

checkbox to make your search case sensitive.

•(Optional) Highlight a web ACL and click Assign to assign the selected web ACL to one or more

VPN group policies, dynamic access policies, or user policies.

•When you create an ACE, by default it is enabled. Clear the check box to disable an ACE.

The IP address or URL of the application or service to which the ACE applies is displayed. The TCP

service to which the ACE applies is also displayed. The Action field displays whether the ACE permits

or denies clientless SSL VPN access. The time range associated with the ACE and the logging behavior

(either disabled or with a specified level and time interval) is also displayed.

Adding or Editing ACEs

An Access Control Entry (or “access rule”) permits or denies access to specific URLs and services. You

can configure multiple ACEs for an ACL. ACLs apply ACEs in priority order, acting on the first match.

Detailed Steps

Step1 Permit or deny access to specific networks, subnets, hosts, and web servers specified in the Filter group

field.

Step2 Specify a URL or an IP address to which you want to apply the filter (permit or deny user access):

•URL—Applies the filter to the specified URL.

•Protocols (unlabeled)—Specifies the protocol part of the URL address.

•://x—Specifies the URL of the Web page to which to apply the filter.

•TCP—Applies the filter to the specified IP address, subnet, and port.

•IP Address—Specifies the IP address to which to apply the filter.

•Netmask—Lists the standard subnet mask to apply to the address in the IP Address field.

•Service—Identifies the service (such as https, kerberos, or any) to be matched. Displays a list of

services from which you can select the service to display in the Service field.

•Boolean operator (unlabeled)—Lists the boolean conditions (equal, not equal, greater than, less

than, or range) to use in matching the service specified in the service field.

Step3 The Rule Flow Diagram graphically depicts the traffic flow using the filter. This area may be hidden.

Step4 Specify the logging rules. The default is Default Syslog.

•Logging—Choose enable if you want to enable a specific logging level.

•Syslog Level—Grayed out until you select Enable for the Logging attribute. Lets you select the type

of syslog messages you want the ASA to display.

•Log Interval—Lets you select the number of seconds between log messages.

Cisco Systems Adding or Editing ACEs