topic URL Filtering on ASA with RegEx, but getting unexpected results in Network Security

URL Filtering on ASA with RegEx, but getting unexpected results

abrrymnvette — Tue, 12 Mar 2019 01:08:21 GMT

I'm trying to block access to dropbox.com on our ASA5510. I have it setup and it blocks dropbox.com just fine. But it is also blocking google.com. I can't figure out why.

Here's my config. When it blocks google, it blocks it with the

terminated by inspection engine, reason - disconnected, dropped packet.

regex Block_Dropbox "\.dropbox\.com"

access-list URL_Filtering extended permit tcp any any eq www

access-list URL_Filtering extended permit tcp any any eq https

class-map type regex match-any Block_Domains

match regex Block_Dropbox

class-map type inspect http match-all Block_These_Domains

match request header host regex class Block_Domains

class-map inspection_default

match default-inspection-traffic

class-map httptraffic

match access-list URL_Filtering

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map type inspect http http_inspection_policy

parameters

protocol-violation action drop-connection

class Block_These_Domains

drop-connection

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

policy-map inside-policy

class httptraffic

inspect http http_inspection_policy

service-policy global_policy global

service-policy inside-policy interface inside

URL Filtering on ASA with RegEx, but getting unexpected results

jocamare — Fri, 01 Mar 2013 22:06:48 GMT

Let's try it the easy way:

regex dropbox "\dropbox\.com"

class-map type inspect http match-any block-url-class

match request header host regex dropbox

policy-map type inspect http block-url-policy

parameters

class block-url-class

drop-connection log

policy-map global_policy

class inspection_default

inspect http block-url-policy

URL Filtering on ASA with RegEx, but getting unexpected results

Julio Carvajal — Fri, 01 Mar 2013 22:07:21 GMT

Hello,

Why matching HTTPS in the ACL if this is an HTTP inspection?

Please just use the HTTP protocol on the ACL and give it a try ( clear local-host ) before the test

Regards

URL Filtering on ASA with RegEx, but getting unexpected results

abrrymnvette — Fri, 01 Mar 2013 22:48:06 GMT

That works for dropbox.com, but when I use https://www.dropbox.com I can still get through.

URL Filtering on ASA with RegEx, but getting unexpected results

abrrymnvette — Fri, 01 Mar 2013 22:49:09 GMT

Because if if I use https, I can still get to the website.

URL Filtering on ASA with RegEx, but getting unexpected results

jocamare — Fri, 01 Mar 2013 23:00:31 GMT

Encrypted traffic, end of the road.

The ASA won't be able to see the request on the HTTP request, so it won't block it.

The CSC module is a good partner in crime when blocking HTTPS on the ASA.

But, we don't always have a spare CSC to use, so, here's something you can try:

You can block HTTPS by dropping the DNS request.

For this to work properly the DNS request for resolving the ip of HTTPS URL must go through ASA which means if user and it's DNS server both are behind same interface of ASA then this would not work. As we are dropping the blocked web-site request during it's DNS resolution Request.

As this solution works based on dropping the DNS server reply thereby this does not only block HTTPS but any other kind of traffic as well (HTTP, FTP, etc.) where the user accesses a server using its name and hence has to perform a DNS query.

What to do:

HTTPS websites use a SSL tunnel from the end device to the end server, so the firewall isn’t capable of inspecting the SSL traffic. So Instead of using URL inspection, we can configure DNS inspection.

The ASA inspects the DNS request from the internal DNS server or end device to the external DNS server. We can use regular expressions to match the FQDN of a website. Below is an example configuration of blocking access to the website (and applications using a DNS entry to this website) facebook.com

regex domain_facebook.com “\.facebook\.com”

class-map type regex match-any DomainBlockList

match regex domain_facebook.com

policy-map type inspect dns Pol-DNS-inspect

parameters

message-length maximum 512

match domain-name regex class DomainBlockList

drop-connection log

policy-map global_policy

class inspection_default

inspect dns Pol-DNS-inspect

service-policy global_policy global

A problem with this approach could be the DNS cache on the internal DNS server. This is domain name is queried before configuring the inspection, the domain will be available until the DNS cache from the DNS server expires. In urgent situation you can maybe clear the DNS cache yourself.

URL Filtering on ASA with RegEx, but getting unexpected results

jocamare — Fri, 01 Mar 2013 23:02:20 GMT

Also...

You can use FQDN along with Access-lists so the DNS request doesn't have to go through the ASA.