https://community.cisco.com/t5/network-security/url-filtering-on-5505/m-p/1641097#M567477 <HTML><HEAD></HEAD><BODY><P>Thanks Paul, I am trying your config but where you have:</P><P>class inspection_default</P><P>&nbsp; inspect http pm-block-url</P><P></P><P>I do not see an "inspect" command to issue "inspect http"?</P></BODY></HTML> Wed, 09 Feb 2011 16:45:10 GMT slug420 2011-02-09T16:45:10Z https://community.cisco.com/t5/network-security/url-filtering-on-5505/m-p/1641093#M567473 <P>Can someone help me with a basic config to filter like cisco.com (or any of its pages) using a 5505?&nbsp; I am trying to *block* this site.&nbsp; Here is what I had from the URL filtering howto:</P><P></P><P>!<BR />class-map inspection_default<BR /> match default-inspection-traffic<BR />class-map type inspect http match-any block-url-class<BR /> match request header host regex block1<BR />!<BR />!<BR />policy-map type inspect http block-url-policy<BR /> parameters<BR /> class block-url-class<BR />&nbsp; drop-connection log<BR />policy-map global_policy<BR /> class inspection_default<BR />&nbsp; inspect http block-url-policy<BR />!<BR />service-policy global_policy global</P><P></P><P></P><P>I got an error initially about there being no inspection_default class so im not sure if I recreated it correctly/completely...</P><P></P><P>thanks!</P> Mon, 11 Mar 2019 19:46:04 GMT https://community.cisco.com/t5/network-security/url-filtering-on-5505/m-p/1641093#M567473 slug420 2019-03-11T19:46:04Z https://community.cisco.com/t5/network-security/url-filtering-on-5505/m-p/1641094#M567474 <HTML><HEAD></HEAD><BODY><P>can you paste the show run regex, show run class-map and show run policy-map?</P></BODY></HTML> Mon, 07 Feb 2011 19:07:34 GMT https://community.cisco.com/t5/network-security/url-filtering-on-5505/m-p/1641094#M567474 PAUL GILBERT ARIAS 2011-02-07T19:07:34Z https://community.cisco.com/t5/network-security/url-filtering-on-5505/m-p/1641095#M567475 <HTML><HEAD></HEAD><BODY><P>this link provides a good explanation:</P><P></P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940e04.shtml">http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940e04.shtml</A></P></BODY></HTML> Mon, 07 Feb 2011 19:08:36 GMT https://community.cisco.com/t5/network-security/url-filtering-on-5505/m-p/1641095#M567475 PAUL GILBERT ARIAS 2011-02-07T19:08:36Z https://community.cisco.com/t5/network-security/url-filtering-on-5505/m-p/1641096#M567476 <HTML><HEAD></HEAD><BODY><P>this is a configuration I have tested:</P><P></P><P></P><P>regex block-url ".\myspace.\com"</P><P></P><P>class-map type regex match-any cm-block-url</P><P> match regex block-url</P><P></P><P>policy-map type inspect http pm-block-url</P><P> parameters</P><P> match request header host regex class cm-block-url</P><P>&nbsp; drop-connection log</P><P></P><P>policy-map global_policy</P><P> class inspection_default</P><P>&nbsp; inspect http pm-block-url</P><P></P><P>service-policy global_policy global</P><DIV> </DIV><DIV> </DIV><P></P></BODY></HTML> Mon, 07 Feb 2011 19:29:10 GMT https://community.cisco.com/t5/network-security/url-filtering-on-5505/m-p/1641096#M567476 PAUL GILBERT ARIAS 2011-02-07T19:29:10Z https://community.cisco.com/t5/network-security/url-filtering-on-5505/m-p/1641097#M567477 <HTML><HEAD></HEAD><BODY><P>Thanks Paul, I am trying your config but where you have:</P><P>class inspection_default</P><P>&nbsp; inspect http pm-block-url</P><P></P><P>I do not see an "inspect" command to issue "inspect http"?</P></BODY></HTML> Wed, 09 Feb 2011 16:45:10 GMT https://community.cisco.com/t5/network-security/url-filtering-on-5505/m-p/1641097#M567477 slug420 2011-02-09T16:45:10Z https://community.cisco.com/t5/network-security/url-filtering-on-5505/m-p/1641098#M567478 <HTML><HEAD></HEAD><BODY><P>clas inspectio_default comes by default on the ASA. In case you don't have it then you could add it manually. Here are the missing lines:</P><P></P><P></P><P>class-map inspection_default</P><P> match default-inspection-traffic</P><DIV> </DIV><DIV> </DIV><DIV>then make sure you add the rest of the commands I suggested.</DIV><P></P></BODY></HTML> Wed, 09 Feb 2011 16:51:46 GMT https://community.cisco.com/t5/network-security/url-filtering-on-5505/m-p/1641098#M567478 PAUL GILBERT ARIAS 2011-02-09T16:51:46Z https://community.cisco.com/t5/network-security/url-filtering-on-5505/m-p/1641099#M567479 <HTML><HEAD></HEAD><BODY><P>you:</P><P></P><P>regex block-url ".\myspace.\com"</P><P></P><P>class-map type regex match-any cm-block-url</P><P>match regex block-url</P><P></P><P>policy-map type inspect http pm-block-url</P><P>parameters</P><P>match request header host regex class cm-block-url</P><P>&nbsp; drop-connection log</P><P></P><P>policy-map global_policy</P><P>class inspection_default</P><P>&nbsp; inspect http pm-block-url</P><P></P><P>service-policy global_policy global</P><P></P><P>me (testing with pandora):</P><P></P><P>regex block1 ".\pandora.\com"</P><P></P><P>class-map inspection_default<BR /> match default-inspection-traffic</P><P>class-map type regex match-any block-url-class<BR /> match regex block1<BR />!<BR />!<BR />policy-map type inspect http block-url-policy<BR /> parameters<BR /> match request header host regex class block-url-class<BR />&nbsp; drop-connection log<BR />policy-map global_policy<BR /> class inspection_default<BR />&nbsp; inspect http block-url-policy<BR />!<BR />service-policy global_policy global</P><P></P><P></P><P><BR />don't the !s indicate incomplete configurations?&nbsp; Do you have those in your config?&nbsp; If this looks good to you (looks good to me) I guess I am going to have to verify the user is testing from the right location..</P></BODY></HTML> Wed, 09 Feb 2011 20:58:29 GMT https://community.cisco.com/t5/network-security/url-filtering-on-5505/m-p/1641099#M567479 slug420 2011-02-09T20:58:29Z https://community.cisco.com/t5/network-security/url-filtering-on-5505/m-p/1641100#M567480 <HTML><HEAD></HEAD><BODY><P>it doesn't mean incomplete. </P><P>Go ahead and test. It looks good your config.</P></BODY></HTML> Wed, 09 Feb 2011 21:05:01 GMT https://community.cisco.com/t5/network-security/url-filtering-on-5505/m-p/1641100#M567480 PAUL GILBERT ARIAS 2011-02-09T21:05:01Z https://community.cisco.com/t5/network-security/url-filtering-on-5505/m-p/1641101#M567481 <HTML><HEAD></HEAD><BODY><P>tried it on an ASA here and it worked like a charm, client finally got back to me and said he was testing from another site <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/images/emoticons/happy.gif"></SPAN>&nbsp; Thanks for your help!&nbsp; On a side note...if they ping the URL (and resolve the IP) and use the IP in their web browser they get around this...is there a way to do DNS filtering so that requests or responses for a given string are blocked?</P></BODY></HTML> Thu, 10 Feb 2011 20:42:02 GMT https://community.cisco.com/t5/network-security/url-filtering-on-5505/m-p/1641101#M567481 slug420 2011-02-10T20:42:02Z https://community.cisco.com/t5/network-security/url-filtering-on-5505/m-p/1641102#M567482 <HTML><HEAD></HEAD><BODY><P>I am glad to hear that it worked. You can always block the IP for the unwanted websites but IPs usually change. If you want a better URL filtering mechanism you should consider the CSC-SSM for the ASA but in this case it will not work on you ASA 5505.</P></BODY></HTML> Thu, 10 Feb 2011 21:09:49 GMT https://community.cisco.com/t5/network-security/url-filtering-on-5505/m-p/1641102#M567482 PAUL GILBERT ARIAS 2011-02-10T21:09:49Z