topic Re: regex blocking all sites in Network Security

regex and grouping questions

Carlomd — Tue, 12 Mar 2019 03:05:37 GMT

Hi all, I have a 5510 in route mode, when I add a regex to block 2 sites, it somehow blocks all sites, when I remove it it's back to normal, here's the regex code along with my other nat setting that gives inside users outside access. Thanks in advanced.

(regex entry to block sites)

regex domain1 "\.yahoo\.com"

regex domain2 "\.google\.com"

class-map type regex match-any domain-list

match regex domain1

match regex domain2

class-map web

match port tcp eq www

policy-map type inspect http URL

parameters

match not request header host regex class domain-list

drop-connection

policy-map global_policy

class web

inspect http URL

(nat outside access)

object network obj-LAN

subnet 0.0.0.0 0.0.0.0

object network obj-LAN

nat (inside,outside) dynamic interface

route outside 0.0.0.0 0.0.0.0 12.54.x.x 1

regex blocking all sites

Marius Gunnerud — Fri, 15 Nov 2013 19:19:10 GMT

Try using the match not keywords under the class map and then call that class map in the policy map

regex domain1 "\.yahoo\.com"

regex domain2 "\.google\.com"

class-map type regex match-any domain-list

match regex domain1

match regex domain2

class-map type inspect http match-all ALLOWED_URL_CLASS_MAP

match not request uri regex class domain-list

policy-map type inspect http URL

class ALLOWED_URL_CLASS_MAP

drop

regex blocking all sites

Carlomd — Fri, 15 Nov 2013 20:55:36 GMT

Thanks for the reply Marius, I'll give this a try.

Re: regex blocking all sites

Carlomd — Sat, 16 Nov 2013 20:36:54 GMT

Hi Marius, it still allows access to ebay.com, and myspace.com, I had typos at first but I carefully followed your instructions and the commnands worked but was still allowing access to the 2 sites I wanted to block.

here' the current policy entries;

ASA Version 9.1(2)8

regex ebay "\ebay\.com"
regex myspace "\myspace\.com"

object network obj-LAN
subnet 0.0.0.0 0.0.0.0

class-map type regex match-any domain-list
match regex ebay
match regex myspace
class-map type inspect http match-all ALLOWED_URL_CLASS_MAP
match not request uri regex class domain-list
class-map inspection_default
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map type inspect http URL
parameters
class ALLOWED_URL_CLASS_MAP
drop-connection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global

Message was edited by: CARLO DOMINGUEZ

Re: regex blocking all sites

Marius Gunnerud — Sat, 16 Nov 2013 21:13:07 GMT

You need to not use the match not in this case. The match not means that it will allow access to ebay and myspace but will drop all others.

Sorry I was a bit fast in my copy past and did not change the policy map.

regex ebay "\ebay\.com"

regex myspace "\myspace\.com"

class-map type regex match-any domain-list

match regex ebay

match regex myspace

class-map type inspect http match-all ALLOWED_URL_CLASS_MAP

match request uri regex class domain-list

policy-map global_policy

class ALLOWED_URL_CLASS_MAP

drop-connection

By placing the class map under the global policy this will be applied to all interfaces

Please rate any helpful posts.

Re: regex blocking all sites

Carlomd — Mon, 18 Nov 2013 17:20:01 GMT

Hi Marius, I see so the match not command means to only allow what's on the domain-list, and then vice versa. And looks like it needs to also be put in the global policy group for it to take effect to all interfaces. I wasn't putting it in the global policy that's probably why I was having some issues when I first tried it, thanks I'll give it another try at the end of the day.

Re: regex blocking all sites

Carlomd — Tue, 19 Nov 2013 01:26:26 GMT

Hi Marius, I get this error when I add the class under the global policy, any ideas, thanks.

crxasa(config)# policy-map global_policy

crxasa(config-pmap)# class ALLOWED_URL_CLASS_MAP

ERROR: Specified class type is different from the policy-map type.

Re: regex blocking all sites

Marius Gunnerud — Tue, 19 Nov 2013 07:58:41 GMT

I forgot to add another policy map in the mix. The below configuration should work.

regex ebay "\ebay\.com"

regex myspace "\myspace\.com"

class-map type regex match-any domain-list

match regex ebay

match regex myspace

class-map type inspect http match-all ALLOWED_URL_CLASS_MAP

match request uri regex class domain-list

policy-map type inspect http HTTP_BLOCK_POLICY

parameters

class ALLOWED_URL_CLASS_MAP

drop-connection

policy-map global_policy

class inspection_default

inspect http HTTP_BLOCK_POLICY

Re: regex blocking all sites

Carlomd — Wed, 20 Nov 2013 00:55:35 GMT

Hi Marius, thanks for the reply, but somehow it won't work, it still allows ebay and myspace, here's my config of the policies.

regex ebay "\ebay\.com"

regex myspace "\myspace\.com"

class-map type regex match-any domain-list

match regex ebay

match regex myspace

class-map type inspect http match-all ALLOWED_URL_CLASS_MAP

match request uri regex class domain-list

class-map inspection_default

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map type inspect http HTTP_BLOCK_POLICY

parameters

class ALLOWED_URL_CLASS_MAP

drop-connection

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

inspect http HTTP_BLOCK_POLICY

service-policy global_policy global

Re: regex blocking all sites

Rejohn Cuares — Wed, 20 Nov 2013 01:39:20 GMT

Can you try this.

regex url1 "[e|E][b|B][a|A][y|Y]"

regex url2 "[g|G][o|O][o|O][g|G][l|L][e|E]"

class-map type inspect dns match-all web_url_policy

match domain-name regex url1

match domain-name regex url2

policy-map type inspect dns web_policy

class web_url_policy

drop

policy-map global_policy

class inspection_default

inspect dns web_policy

service-policy global_policy global

Please rate replies and mark question as "answered" if applicable.

Re: regex blocking all sites

Marius Gunnerud — Wed, 20 Nov 2013 07:35:57 GMT

edit the regex entries.

regex ebay "*\.ebay\.com"

regex myspace "\.myspace\.com"

If that doesn't match, then try using the * infront of the domain.

regex ebay "*ebay\.com"

regex myspace "*myspace\.com"

Configuration looks correct, we just need to find the correct match parameter.

Please rate all helpful posts.

Re: regex blocking all sites

Carlomd — Wed, 20 Nov 2013 16:48:36 GMT

Thanks for the reply rr, I'll try this if the other ones don't work.

Re: regex blocking all sites

Carlomd — Wed, 20 Nov 2013 17:13:24 GMT

I have another question on another command I seem to have trouble with, this is my first time hands on with ASA btw, so I'm just getting into the meat and potatoes of the asa just about over a month now.

I read that you can group together udp and tcp, so I did that with grouping smtp, http. https. and domain to a set of host objects, but email won't go through, I think http worked though but somehow smtp won't unless I seperate it on one line. Any ideas?

Re: regex blocking all sites

Marius Gunnerud — Wed, 20 Nov 2013 18:11:49 GMT

Could you post the group objects in question as well as the access list you are using them in. The following would is an example of how you would configure it.

object-group service SERVICES tcp

port-object eq http

port-object eq https

port-object smtp

access-list MYACL extended permit tcp host 10.10.10.1 any object-group SERVICES

Please rate all helpful posts

Re: regex blocking all sites

Carlomd — Wed, 20 Nov 2013 18:37:57 GMT

Marius, thanks for the reply, I'm using the command service-object instead of port-object, I got it from my asa 2nd ed book off a sample. I'll try port-object and see what happens, it'll save me some time having to type seperate lines of command for each host.

object-group service server-services

service-object tcp destination eq www

service-object tcp destination eq https

service-object tcp destination eq smtp

access-list ACL_OUT_IN extended permit object-group server-services host 208.x.x.12 any

Re: regex blocking all sites

Marius Gunnerud — Wed, 20 Nov 2013 19:05:31 GMT

Your configuration is setting www, https and smtp as the protocol...not the ports. Change it to the following

access-list ACL_OUT_IN extended permit tcp host 208.x.x.12 any object-group server-services

Also remember that most PCs will send traffic using a random high port as the source port, so you almost always want to match the ports to the destination.

is 208.x.x.12 the actual IP of the server or the NATed IP? Also keep in mind that if you want your users to be able to access https, www and smtp form the internet, these ports need to be opened on the outside interface.

Re: regex blocking all sites

Carlomd — Wed, 20 Nov 2013 20:50:10 GMT

The server is nat'ed to an outside ip, I have it set that way already for the access-list syntax, it didn't work. Test email didnt go through. Seems to only like single line entries for each host and service.

Re: regex blocking all sites

Marius Gunnerud — Wed, 20 Nov 2013 21:23:51 GMT

Ok, please explaine what you are trying to do more. Is the 208.x.x.12 server inside your network or is it a server on the internet that you want to open for traffic coming in?

Have you tried the configuration that I posted earlier?

object-group service SERVICES tcp

port-object eq http

port-object eq https

port-object smtp

access-list MYACL extended permit tcp host 10.10.10.1 any object-group SERVICES

Please rate all helpful posts

regex and grouping questions

Carlomd — Wed, 20 Nov 2013 21:45:51 GMT

Yes, 208.x.x.12 is inside, it's an Exchange server that also has IIS running for OWA, so I need to have smtp, http, and https access incoming, I also have a terminal server, and others but that will have to wait.

I'm just trying to get the basics running like web and email and blocking sites, It worked by using the command below but seems to have issues with grouping, the TAC engineer I was talking to said to use single entries but he wouldn't say why grouping won't work.


 access-list ACL_OUT_IN line 1 permit tcp any host 208.x.x.12 eq www

Re: regex blocking all sites

Carlomd — Wed, 20 Nov 2013 21:55:59 GMT

You know what I think I just need reading glasses, I missed the dot before ebay, I only had a dot on .com, let me try again this time with "\.ebay\.com\"