Setting Up Filters and ACLs
WebVPNs support content filtering and ACL filters. Content filtering is supported only by
group-policies. WebVPN content filtering allows the security administrator to block parts of
websites that contain malicious or unauthorized content.
Table 13-15 Authentication Types
Command Description
AAA Provides a username and password that the ASA checks against a previously
configured AAA server.
certificate Provides a certificate during SSL negotiations.
mailhost Authenticates via the remote mail server. POP3S and IMAP4S configure this
by default; will not be displayed as a configuration option for those types.
piggyback Requires that an https WebVPN session already exists.
Example 13-14 Proxy E-Mail Configuration Example
tgasa(config)# group-policy REMOTE1 attributes
tgasa(config-group-policy)# pop3s
tgasa(config-group-pop3s)# enable outside
tgasa(config-group-pop3s)# enable inside
tgasa(config-group-pop3s)# server 10.2.2.38
tgasa(config-group-pop3s)# authentication-server-group REMOTEGROUP
tgasa(config-group-pop3s)# authentication piggyback
tgasa(config-group-pop3s)# exit
tgasa(config-group)# smtps
tgasa(config-group-smtps)# enable outside
tgasa(config-group-smtps)# enable inside
tgasa(config-group-smtps)# authentication-server-group REMOTEGROUP
tgasa(config-group-pop3s)# authentication mailhost
tgasa(config-group-pop3s)# port 998
372 Chapter 13: Virtual Private Networks
The html-content-filter command is used to configure these options:
html-content-filter {cookies | images | java | none | scripts}
The command options are described as follows:
■ cookies—Removes cookies from images.
■ images—Removes the tags from a website.
■ java—Removes reference to Java and ActiveX.
■ none—Disables filtering.
■ scripts—Removes references to scripting.
You can string multiple attributes onto one html-content-filter command. The ASA 55X0
Security Device defaults to no content filtering.
You can assign an ACL to a username or group-policy by using the following command:
filter {value ACLname | none}
The ACL must use the access-list web-type commands to be supported.