Professional Documents
Culture Documents
Introduction on page 1 Block specific urls on page 2 Allow every url for specific hosts, block specific urls for the rest on page 3 Allow only cisco.com on page 4 Allow specific urls on page 5 Allow every url for specific hosts, allow only specific urls for the rest on page 5 Same domain allow/deny on page 6
Introduction
One of the ASA features is url filtering. It can be used to block or allow users from going to certain urls/websites. This article aims to educate the user on how to use this feature. After reading it carefully someone should be able to take full advantage of url filtering and use it for his needs.
In this article we will either block or allow domains in urls and words in the uri. Of course the ASA can match on other things too. They can be found in the ASA configuration guides. From now and onwards we will allow or block the cisco.com domain. In other words, any user browsing to any page that is behind cisco.com will be subject to url filtering. Such pages would be www.cisco.com/index.html or cisco.com/exampledir/page.html. Also, we will allow or block "/test/" in the uri. In other words, any page path that contains "/test/" will be url filtered. Examples are www.examplesite.com/exampledir/test/page.html or www.anyurl.com/ test/examplepage.jsp or www.anything.com/onedir/seconddir/test
The mechanism used to apply url filtering is Modular Policy Framework (MPF). We will create regular expressions (regex) that will be matched in class-maps of type http. These class-maps will be used in policy-maps to define the drop action. Then the policy-maps will be applied with an http inspection in another policy-map that will be applied to an interface. In that way the http inspection action will be applied to the traffic that hits an interface.
Postings may contain unverified user-created content and change frequently. The content is provided as-is and is not warrantied by Cisco. 1
NOTE: Though, we need to highlight that for Enterprise URL Filtering, customers should be steered toward using WebSense or N2H2 integration with the ASA. Such web filtering engines can provide much more robust filtering based on classes of sites. URL filtering directly on the ASA using regex, should be used only sparsely when broad classifications can be applied, with limited regex patterns. The ASA will not scale being used in an enterprise with large regex matches and large volumes of HTTP traffic.
regex blockex1 "/test/" regex blockex2 "cisco\.com" class-map type inspect http match-any block-url-class match request uri regex blockex1 match request header host regex blockex2 policy-map type inspect http block-url-policy parameters class block-url-class drop-connection log policy-map global_policy class inspection_default inspect http block-url-policy service-policy global_policy global
Postings may contain unverified user-created content and change frequently. The content is provided as-is and is not warrantied by Cisco. 2
Allow every url for specific hosts, block specific urls for the rest
Finally lets say that we have a few hosts (administrators, i.e. ip address 192.168.1.2) that need access to any website and the rest of the users need to be blocked from specific websites (Note that you need to understand the example above to be able to follow the process of this example). We will use approximately the same configuration as in the example above but this time we will need an extra access-list, a class-map and a policymap. This access-list (user-acl) will match all the users with the exception of the ones that need unrestricted access. It will be matched in a new class-map (block-user-class) which in turn will be used in a separate policy-map (block-user-url-policy). That policy-map will do the http inspection for the allowed websites policy-map block-url-policy (that part is the same as above). Thus the block-user-url-policy will be applied to an interface with a service-policy. What this policy-map is actually doing is to match on all the users except the unrestricted ones (class block-user-class) and block them from going to the specified websites (inspect http block-url-policy. The rest of the users (not matching/denied in the access-list) will be able to go anywhere.
regex blockex1 "/test/" regex blockex2 "cisco\.com" access-list user-acl extended deny tcp host 192.168.1.2 any eq www access-list user-acl extended permit tcp any any eq www class-map type inspect http match-any block-url-class match request uri regex blockex1 match request header host regex blockex2 class-map block-user-class match access-list user-acl policy-map type inspect http block-url-policy parameters class block-url-class drop-connection policy-map block-user-url-policy class block-user-class
Postings may contain unverified user-created content and change frequently. The content is provided as-is and is not warrantied by Cisco. 3
regex allowex2 "cisco\.com" class-map type inspect http match-all allow-url-class match not request header host regex allowex2 policy-map type inspect http allow-url-policy parameters class allow-url-class drop-connection log policy-map global_policy class inspection_default inspect http allow-url-policy service-policy global_policy global
Postings may contain unverified user-created content and change frequently. The content is provided as-is and is not warrantied by Cisco. 4
regex allowex1 "/test/" regex allowex2 "cisco\.com" class-map type inspect http match-all allow-url-class match not request uri regex allowex1 match not request header host regex allowex2 policy-map type inspect http allow-url-policy parameters class allow-url-class drop-connection log policy-map global_policy class inspection_default inspect http allow-url-policy service-policy global_policy global
Allow every url for specific hosts, allow only specific urls for the rest
Now lets say that we have a few hosts (administrators, i.e. ip address 192.168.1.2) that need access to any website and the rest of the users need to be able to go only to specific
Postings may contain unverified user-created content and change frequently. The content is provided as-is and is not warrantied by Cisco. 5
websites (Note that you need to understand the example above to be able to follow the process of this example). We will use approximately the same configuration as in the example above but this time we will need an extra access-list, a class-map and a policymap. This access-list (user-acl) will match all the users with the exception of the ones that need unrestricted access. It will be matched in a new class-map (allow-user-class) which in turn will be used in a separate policy-map (allow-user-url-policy). That policy-map will do the http inspection for the allowed websites policy-map allow-url-policy (that part is the same as above). Thus the allow-user-url-policy will be applied to an interface with a service-policy. What this policy-map is actually doing is to match on all the users except the unrestricted ones (class allow-user-class) and allow them only to go to the specified websites (inspect http allow-url-policy. The rest of the users (not matching/denied in the access-list) will be able to go anywhere.
regex allowex1 "/test/" regex allowex2 "cisco\.com" access-list user-acl extended deny tcp host 192.168.1.2 any eq www access-list user-acl extended permit tcp any any eq www class-map type inspect http match-all allow-url-class match not request uri regex allowex1 match not request header host regex allowex2 class-map allow-user-class match access-list user-acl policy-map type inspect http allow-url-policy parameters class allow-url-class drop-connection policy-map allow-user-url-policy class allow-user-class inspect http allow-url-policy service-policy allow-user-url-policy interface inside
Postings may contain unverified user-created content and change frequently. The content is provided as-is and is not warrantied by Cisco. 6
2. allow developer.facebook.com which gets redirected automatically to developers.facebook.com 3. and all other domains like yahoo.com and google.com
regex block-fb ".*facebook\.com" regex allow-fb "developer[s]*\.facebook\.com" ! class-map type regex match-any block-fb match regex block-fb class-map type regex match-any allow-regex-class match regex allow-fb ! policy-map type inspect http http-inspect-pol parameters match not request header host regex class allow-regex-class match request header host regex class block-fb reset log class-map http-class match port tcp eq www policy-map http-traffic class http-class inspect http http-inspect-pol ! service-policy http-traffic interface inside
Alternatively, one could also tie the http policy-map to the default inspection under the global_policy.
Bear in mind, every time you add remove or change regex, you need to remove the service-policy applied to the interface and add it
Postings may contain unverified user-created content and change frequently. The content is provided as-is and is not warrantied by Cisco. 7
If you need to change a match command for HTTP inspection after configuring the inspection, you must remove the attached service
Postings may contain unverified user-created content and change frequently. The content is provided as-is and is not warrantied by Cisco. 8