09-15-2010 02:24 AM
Hi
I am using a ASA 8.2.2 configured with clientless webvpn.
Since there are several different user-groups and connection profiles configured, I want to make sure that only certain users have access to certain services. That for I configured webtype acls. This works fine for any http or https related traffic to the internal Server, but it does not work for citrix traffic towards the WebInterface Server for citrix.
Thats how part of my config is looking like:
...
group-policy X attributes
vpn-tunnel-protocol webvpn
group-lock value X
webvpn
filter value X
....
access-list X webtype permit url http://x.y/* log default
...
group-policy Citrix attributes
vpn-tunnel-protocol webvpn
group-lock value Citrix
webvpn
filter value Citrix
...
access-list Citrix webtype permit url https://citrix.local/* log default
access-list Citrix webtype permit url citrix://* log default
access-list Citrix webtype permit url citrixs://* log default
access-list Citrix webtype permit url https://citrix/* log default
access-list Citrix webtype permit url http://10.1.2.3/* log default
access-list Citrix webtype permit url https://10.2.3.4/* log default
access-list Citrix webtype permit url http://* log default
access-list Citrix webtype permit url https://* log default
access-list Citrix webtype permit url any log default
If I am troubleshooting using the log, I only see permits and no denies! Also if I look at the hitcount. But as soon as the Citrix channel from the Client towards the Citrix Server within HTTPS is startet, it fails if the webtype acl is active (even with the permit any url at the end!). If I remove it, it works fine!
rastest# sh access-li Citrix
access-list Citrix-; 9 elements
access-list Citrix line 1 webtype permit url https://citrix.local/* log default (hitcnt=281)
access-list Citrix line 2 webtype permit url citrix://* log default (hitcnt=0)
access-list Citrix line 3 webtype permit url citrixs://* log default (hitcnt=0)
access-list Citrix line 4 webtype permit url https://citrix/* log default (hitcnt=0)
access-list Citrix line 5 webtype permit url http://10.1.2.3/* log default (hitcnt=0)
access-list Citrix line 6 webtype permit url https://10.2.3.4/* log default (hitcnt=0)
access-list Citrix line 7 webtype permit url http://* log default (hitcnt=0)
access-list Citrix line 8 webtype permit url https://* log default (hitcnt=14)
access-list Citrix line 9 webtype permit url any log default (hitcnt=0)
Any Idea, hints?
Thanks for your help!
Marco
Solved! Go to Solution.
10-06-2010 02:06 AM
Hi,
do you still need help with this? If so, could you please try adding a line to the ACL as follows:
access-list Citrix webtype permit tcp any log default
and see if that makes any difference?
Herbert
10-06-2010 02:06 AM
Hi,
do you still need help with this? If so, could you please try adding a line to the ACL as follows:
access-list Citrix webtype permit tcp any log default
and see if that makes any difference?
Herbert
10-12-2010 06:12 AM
Hi Herbert
Thank you so much for your help. This was very usefull.
Since there is nothing in the documentation about the fact that you can also filter based on tcp in a webfilter, this would be some useful input for documentation team in cisco.
Now it looks like it does work!
Cheers, Marco
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: