Cisco Cisco Content Security Management Appliance M1070 Guida Utente
13-21
AsyncOS 9.0 for Cisco Content Security Management Appliances User Guide
Chapter 13 Distributing Administrative Tasks
Additional Controls on Access to the Security Management Appliance
Creating the Access List
You can create the network access list either via the Network Access page in the GUI or the
adminaccessconfig > ipaccess CLI command.
adminaccessconfig > ipaccess CLI command.
shows the Network Access page with a list
of user IP addresses that are allowed to connect directly to the Security Management appliance.
Figure 13-2
Example Network Access Settings
AsyncOS offers four different modes of control for the access list:
•
Allow All. This mode allows all connections to the appliance. This is the default mode of operation.
•
Only Allow Specific Connections. This mode allows a user to connection to the appliance if the
user’s IP address matches the IP addresses, IP ranges, or CIDR ranges included in the access list.
user’s IP address matches the IP addresses, IP ranges, or CIDR ranges included in the access list.
•
Only Allow Specific Connections Through Proxy. This mode allows a user to connect to the
appliance through a reverse proxy if the following conditions are met:
appliance through a reverse proxy if the following conditions are met:
–
The connecting proxy’s IP address is included in the access list’s IP Address of Proxy Server
field.
field.
–
The proxy includes the
x-forwarded-header
HTTP header in its connection request.
–
The value of
x-forwarded-header
is not empty.
–
The remote user’s IP address is included in
x-forwarded-header
and it matches the IP
addresses, IP ranges, or CIDR ranges defined for users in the access list.
•
Only Allow Specific Connections Directly or Through Proxy. This mode allows users to connect
through a reverse proxy or directly to the appliance if their IP address matches the IP addresses, IP
ranges, or CIDR ranges included in the access list. The conditions for connecting through a proxy
are the same as in the Only Allow Specific Connections Through Proxy mode.
through a reverse proxy or directly to the appliance if their IP address matches the IP addresses, IP
ranges, or CIDR ranges included in the access list. The conditions for connecting through a proxy
are the same as in the Only Allow Specific Connections Through Proxy mode.
Please be aware that you may lose access to the appliance after submitting and committing your changes
if one of the following conditions is true:
if one of the following conditions is true:
•
If you select Only Allow Specific Connections and do not include the IP address of your current
machine in the list.
machine in the list.
•
If you select Only Allow Specific Connections Through Proxy and the IP address of the proxy
currently connected to the appliance is not in the proxy list and the value of the Origin IP header is
not in the list of allowed IP addresses.
currently connected to the appliance is not in the proxy list and the value of the Origin IP header is
not in the list of allowed IP addresses.