you can do tcp on both or ip on IOS. It depend on what you are doing.
Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Managing Partner / Sr. Instructor - IPexpert, Inc. Mailto: <mailto:[email protected]> [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: <http://www.ipexpert.com/chat> www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at <http://www.ipexpert.com/communities> www.ipexpert.com/communities and our public website at <http://www.ipexpert.com/> www.ipexpert.com From: Kingsley Charles [mailto:[email protected]] Sent: Wednesday, May 26, 2010 11:52 AM To: Tyson Scott Cc: [email protected] Subject: Re: [OSL | CCIE_Security] ACLs with webvpn Thanks Tyson. In the case of IOS, if I deny url traffic, then I need to add permit ip any any? In the case of ASA, if I deny some url, then I need to add permit tcp any? Am I right? I am wondering, why if I deny specific type of traffic everything is blocked. For example, if in IOS webvpn, if I deny cifs why should all other traffic should be dropped? The implicit deny should have been imposed to each category, right? For example, if cifs is configured then implicit deny should be only for cifs not for other http, https, url etc. With regards Kings On Wed, May 26, 2010 at 9:09 PM, Tyson Scott <[email protected]> wrote: If you are only denying specific traffic and you want to permit everything else then yes. Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Managing Partner / Sr. Instructor - IPexpert, Inc. Mailto: [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com <http://www.ipexpert.com/> From: [email protected] [mailto:[email protected]] On Behalf Of Kingsley Charles Sent: Wednesday, May 26, 2010 11:36 AM To: [email protected] Subject: [OSL | CCIE_Security] ACLs with webvpn Hi all With ACL and IOS, you can associate acl to filter traffic. ASA ASA(config)# access-list 123 webtype permit ? configure mode commands/options: tcp Specify generic IP address and network based filtering for WebVPN url Specify a URL to be used for filtering with WebVPN The webtype access-list will be associated to the group using "filter value" command IOS r6(config-webvpn-acl)#permit ? URL URL access control list cifs CIFS access control list http HTTP access control list https HTTPS access control list ip IP access control list tcp TCP access control list r6(config-webvpn-group)#acl ? WORD ACL name For both, it seems there an implicit deny at the end. Do we need add a permit any at the end as following? IOS - permit ip any any ASA - permit tcp any With regards Kings
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
