Thanks Tyson. In the case of IOS, if I deny url traffic, then I need to add permit ip any any?
In the case of ASA, if I deny some url, then I need to add permit tcp any? Am I right? I am wondering, why if I deny specific type of traffic everything is blocked. For example, if in IOS webvpn, if I deny cifs why should all other traffic should be dropped? The implicit deny should have been imposed to each category, right? For example, if cifs is configured then implicit deny should be only for cifs not for other http, https, url etc. With regards Kings On Wed, May 26, 2010 at 9:09 PM, Tyson Scott <[email protected]> wrote: > If you are only denying specific traffic and you want to permit > everything else then yes. > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S, Security, and SP > > Managing Partner / Sr. Instructor - IPexpert, Inc. > > Mailto: [email protected] > > Telephone: +1.810.326.1444, ext. 208 > > Live Assistance, Please visit: www.ipexpert.com/chat > > eFax: +1.810.454.0130 > > > > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco > CCIE (R&S, Voice, Security & Service Provider) certification(s) with > training locations throughout the United States, Europe, South Asia and > Australia. Be sure to visit our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Kingsley Charles > *Sent:* Wednesday, May 26, 2010 11:36 AM > *To:* [email protected] > *Subject:* [OSL | CCIE_Security] ACLs with webvpn > > > > Hi all > > With ACL and IOS, you can associate acl to filter traffic. > > *ASA* > > ASA(config)# access-list 123 webtype permit ? > configure mode commands/options: > tcp Specify generic IP address and network based filtering for WebVPN > url Specify a URL to be used for filtering with WebVPN > > The webtype access-list will be associated to the group using "filter > value" command > > > *IOS* > > r6(config-webvpn-acl)#permit ? > URL URL access control list > cifs CIFS access control list > http HTTP access control list > https HTTPS access control list > ip IP access control list > tcp TCP access control list > > > r6(config-webvpn-group)#acl ? > WORD ACL name > > > For both, it seems there an implicit deny at the end. Do we need add a > permit any at the end as following? > > IOS - permit ip any any > ASA - permit tcp any > > > > > With regards > Kings > > > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
