topic ASA5505 URL Filtering in Network Security

ASA5505 URL Filtering

Arvo Bowen — Mon, 11 Mar 2019 21:07:15 GMT

How can I filter my local lan's URL requests? Is it possible to have some sort of list like...

Default_User_Group

*.microsoft.com/*

*.mydomain.com

*.google.com

Then only allow certain ip's access to the entire internet like this...

Internet_User_Group

It would be nice to possibly be able to add the rules to users in my domain, then associate the domain account with an IP OR have them login to view webpages.

ASA5505 URL Filtering

Tim Schneider — Thu, 04 Aug 2011 09:24:43 GMT

8.4.2 comes with the new User-Identity FW function.

Try looking it up on cisco.

Basically it's about fetching Groups and Users from an AD over an AD-Agent and apply ACE rules to them.

For exampe you can create a rule like "User Mark is allowed to access the company's network, but not the internet" and regardless from where Mark is connected to the network this rule will be applied by help of AD and IP-mapping through the AD Agent.

ASA5505 URL Filtering

Arvo Bowen — Thu, 04 Aug 2011 17:12:32 GMT

So it can do what I want tho? I don't just want to block users from the internet, I want to control what sites they visit...

That's my main objective... Ident by AD would come later

ASA5505 URL Filtering

Tim Schneider — Fri, 05 Aug 2011 08:06:56 GMT

You can block them by using Regex along with HTTP inspection.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940e04.shtml

ASA5505 URL Filtering

Arvo Bowen — Fri, 05 Aug 2011 16:24:35 GMT

That's EXACTLY what page I read over and EXACTLY what I tried and got to work... But the problem I had with that was that artical was made to block CERTIN sites.

I want to block ALL sites and ALLOW certin sites. I kinda want to do the reverse.

ASA5505 URL Filtering

Tim Schneider — Mon, 08 Aug 2011 07:47:48 GMT

Approach it like this:

Define which websites (that you want to allow access to) to be inspected with a Inspection Policy.

Instead of "match" you can use "match not", so any website you have NOT specified with regex will be blocked.

ASA5505 URL Filtering

Arvo Bowen — Mon, 08 Aug 2011 12:30:32 GMT

Thanks for the response Tim! Yea that's the first thing I tried doing too hehe. I never could get it to work though. At what step in that article do I need to set the "Do not match" flag instead of the "Match" one? (BTW I'm trying to learn more about the ASDM so I'm trying to do all the config on it as opposed to the CLI) So witch step or (STEPS?) do I need to change that on from the article? There are quite a few places that get you to set it to "Match" (Example Step 5a "HTTP Traffic" - sub step c).

ASA5505 URL Filtering

Tim Schneider — Mon, 08 Aug 2011 13:50:16 GMT

In Step 2 you defined the regex.

In Step 3c you define if your inspection should "trigger" if the Regex matches or does not match.

Step 5 defines the ACL, meaning if Source to Destination via Protocol matches (or does not match, in your case it should match), inspect the traffic.

ASA5505 URL Filtering

Arvo Bowen — Thu, 11 Aug 2011 15:13:10 GMT

I'm trying to just work with blocking or allowing domin names in general so I'm not doing steps like steps 3c (see note below). I'm doing steps like step 3b. That's where I would choose "Match Type" = "No Match" correct?

Note:

Steps I skip our are as follows...

1.b

1.c

1.d

1.e

1.f

1.g

2.b

3.c

4.e

5.b.*

ASA5505 URL Filtering

Arvo Bowen — Thu, 11 Aug 2011 15:57:41 GMT

Actually this is working perfectly!!! Thanks Tim!

Two more small things though...

1) In step 1.a my "domainlist1" contains the following...

\.google\.com|google\.com

So the ONLY sites I can go to are http://google.com, http://www.google.com, http://maps.google.com, etc..

BUT... I can also get to http://mygoogle.com Is there anyway for me to make it to when that will not happen but still allow access to http://google.com ?

2) Is there a way to have this work per user on my domain?

For example I want MYDOMAIN\User.One to be able to go to ANY sites and MYDOMAIN\User.Two and MYDOMAIN\User.Three to be restricted to go to the google.com list only (as listed above).

ASA5505 URL Filtering

Tim Schneider — Fri, 12 Aug 2011 09:12:45 GMT

Yo,

Try using a single regex to filter this by using [my]google.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940e04.shtml

[abc]

Character class

Matches any character in the brackets. For example, [abc] matches a, b, or c.

Re: ASA5505 URL Filtering

Arvo Bowen — Fri, 12 Aug 2011 15:33:46 GMT

So maybe something like [a-zA-Z0-9]google.com ?

Which would end up with 3 rules per domain

EDIT:

Yea that worked fine... I had to make 2 regex lists... Below is everything I did to make it work. When using the method below you can only go to sites that match the following criteria... http://google.com* or http://*.google.com*

1) Configuration->Global Objects->Regular Expressions->Regular Expressions

ADD - allowed_http_domains = \.google\.com|google\.com

2) Configuration->Global Objects->Regular Expressions->Regular Expressions

ADD - denied_http_domains = [(0-9A-Za-z)*]google\.com

3) Configuration->Global Objects->Regular Expressions->Regular Expression Classes

ADD - DomainAllowList = allowed_http_domains

4) Configuration->Global Objects->Regular Expressions->Regular Expression Classes

ADD - DomainDenyList = denied_http_domains

5) Configuration->Global Objects->Class Maps->HTTP

ADD - AllowDomainClass

Match Type = No Match

Criterion = Request Header Field

Value->Field->Predefined = host

Value->Value->Regular Expression Class = DomainAllowList

6) Configuration->Global Objects->Class Maps->HTTP

ADD - DenyDomainClass

Match Type = Match

Criterion = Request Header Field

Value->Field->Predefined = host

Value->Value->Regular Expression Class = DomainDenyList

7) Configuration->Global Objects->Inspect Maps->HTTP

ADD - http_inspection_policy

😎 Configuration->Global Objects->Inspect Maps->HTTP->http_inspection_policy->Inspections

ADD - DenyDomainClass

Match Criteria->Multiple matches->HTTP Traffic Class = DenyDomainClass

Actions->Action = Reset

Actions->Log = Enable

9) Configuration->Global Objects->Inspect Maps->HTTP->http_inspection_policy->Inspections

ADD - AllowDomainClass

Match Criteria->Multiple matches->HTTP Traffic Class = AllowDomainClass

Actions->Action = Reset

Actions->Log = Enable

10) Configuration->Security Policy->Service Policy Rules

ADD Service Policy Rule

Screen 1:

Interface = inside - inside-policy

Screen 2:

Create a new traffic class = httptraffic

Traffic match criteria = only check Source and Destination IP Address (uses ACL)

Screen 3:

Action = Match

Source = any

Destination = any

Service = tcp-udp/http

Screen 4:

Protocol Inspection = only check HTTP (then click Configure)

Select a HTTP inspect map for fine control over inspection = http_inspection_policy

* CLICK OK then Finished

Thats it! I hope this helps someone else out.

ASA5505 URL Filtering

Arvo Bowen — Wed, 24 Aug 2011 18:49:38 GMT

Tim, I started a new discussion on setting up my ASA to use my AD to authenticate users. Any input you have there would be very helpful!

https://supportforums.cisco.com/message/3427040

ASA5505 URL Filtering

jeremy whittaker — Thu, 23 Jan 2014 15:21:17 GMT

I'm under the impression this will only work if it's http traffic, correct? You cannot apply this level of filtering to https traffic due to the encryption?

ASA5505 URL Filtering

Arvo Bowen — Thu, 23 Jan 2014 16:55:47 GMT

I'm not 100% positive but that would make sense... If it would work then whats the point of encryption.