topic Re: URL Filtering in Network Security

URL Filtering

Janardhan Meesala — Mon, 11 Mar 2019 20:01:51 GMT

Dear Support-Team,

I had ASA-CSC-10-PLUS device and i want to implement URL filtering.

Will give me example CLI configuration guide.

How to filter URLs with regular expressions.

Will you give me example documentation for all these????

How many URLs will blocl ASA noramally?????

And Finally, Will you give me example for blocking " facebook" website..

Thanks in Advance,

Regards,

MJR

Re: URL Filtering

Maykol Rojas — Mon, 07 Mar 2011 06:59:58 GMT

Hello,

Your ASA seems to have a CSC module, so no CLI configuration is needed on the ASA firewall in order to block url sites (Only if you plan to use regex, but if you are using the module there is no need for that).

Here is the configuration guide for the CSC module, how to redirect the traffic to the Content filtering

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808dea62.shtml

You will find examples of how to block URLs and how to filter URLs, plus how to restrict files in FTP and so on with the capabilities of the module per se.

Since you are using this CSC module, there is no need to block urls using regular expresions, however, here is a quick example:

Layer 7 class map configuration

regex domainlist1 "\.yahoo\.com"

regex domainlist2 "\.myspace\.com"

regex domainlist3 "\.youtube\.com"

class-map type regex match-any DomainBlockList

match regex domainlist1

match regex domainlist2

match regex domainlist3

class-map type inspect http match-all BlockDomainsClass

match request header host regex class DomainBlockList

class-map httptraffic

match access-list inside_mpc

policy-map type inspect http http_inspection_policy

class BlockDomainsClass

reset log

L3/4 class maps and Policy maps

access-list inside_mpc extended permit tcp any any eq www

access-list inside_mpc extended permit tcp any any eq 8080

class-map httptraffic

match access-list inside_mpc

policy-map inside-policy

class httptraffic

inspect http http_inspection_policy

service-policy inside-policy interface inside

If you see, we are looking for the host field on the header where normally the name of the url is located.In that example, yahoo, myspace and youtube are going to be dropped. For reference you can go to the following link:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940c5a.shtml

Locally, the ASA is limited to a 100 urls, please refer to the TAC security podcast episode 13, filtering http

services

http://www.cisco.com/en/US/solutions/ns170/tac/security_tac_podcasts.html

The example for youtube and yahoo will help you to create the one for facebook. Keep in mind that if the packet

comes encrypted (HTTPS) the way to go would be filtering the DNS request.

Hope it helps

Mike

Re: URL Filtering

Pavel Pokorny — Mon, 07 Mar 2011 07:05:04 GMT

Hi,

Few days ago I've found this nice document:

https://supportforums.cisco.com/docs/DOC-1268

HTH

Pavel

Re: URL Filtering

Janardhan Meesala — Mon, 07 Mar 2011 08:24:04 GMT

Hi Mike,

Thanks for quick response.

Here I had one query that is why no need regex if using CSC module.

Is it possible to do URL filtering wthout CSC module i.e standalone ASA

5510.

I studied for doing URL filtering CSC module is needed with PLUS license.

Regards,

MJR

On Mon, Mar 7, 2011 at 12:30 PM, mayrojas <

Re: URL Filtering

Janardhan Meesala — Mon, 07 Mar 2011 14:12:46 GMT

Hi Mike,

Thanks for quick response.

Here I had one query that is why no need regex if using CSC module.

Is it possible to do URL filtering wthout CSC module i.e standalone ASA

5510.

I studied for doing URL filtering CSC module is needed with PLUS license.

Regards,

MJR

Re: URL Filtering

Janardhan Meesala — Tue, 08 Mar 2011 04:17:29 GMT

Hi,

Here I had one query that is why no need regex if using CSC module.

Is it possible to do URL filtering wthout CSC module i.e standalone ASA

5510.

I studied for doing URL filtering CSC module is needed with PLUS license.

Regards,

MJR

Re: URL Filtering

Maykol Rojas — Tue, 08 Mar 2011 04:35:31 GMT

Hi,

Yes of course there is a chance to do it without the CSC, I put an example to block youtube, myspace and yahoo. Let me The regex configuration that I did is on the ASA and not on the CSC.

Let me know if you have questions!

Mike

Re: URL Filtering

Janardhan Meesala — Tue, 08 Mar 2011 05:11:05 GMT

Hi Mike,

Thanks for your respone and i got clarrified now.

Finally one more query i.e i am implementing secured LAN with ASA

5510-CSC-10-PLUS and i implemented all Content Filtering, URL blocking ,

File blocking and FTP filtering for all users.

Here i need to to give full permissions to the specific users(

Administrators).

How to do this????

Regards,

MJR

On Tue, Mar 8, 2011 at 10:05 AM, mayrojas <

Re: URL Filtering

Maykol Rojas — Tue, 08 Mar 2011 05:33:14 GMT

Hi,

Excellent question, on the Link

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808dea62.shtml

There is a part where it exaplains how to send traffic to the CSC module,

access-list csc-acl permit tcp any any eq www

access-list csc-acl permit tcp any any eq smtp

access-list csc-acl permit tcp any any eq pop3

class-map csc-class

match access-list csc-acl

policy-map global_policy

class csc-class

csc fail-open

If you want to exclude people from being scanned you can just put a deny on the csc-acl, for example

access-list csc-acl line 1 deny tcp host x.x.x.x any eq www

That way the traffic from host x.x.x.x wont be inspected on port 80 by the CSC module.

I hope you catch it, if you have any questions let me know.

Mike

Re: URL Filtering

Janardhan Meesala — Tue, 08 Mar 2011 07:03:37 GMT

Hi Mike,

Thanks for your response...

Here i want send my administrator traffic to the CSC where i want to do

configure everything(Content filtering, anto-spam) except URL blocking.

i think uderstood my problem.

And Finally, after entering licenses to my firewall how to take back-up of

licenses info for future reference.. Is it enoug to take sh run backup????

Regards,

MJR

On Tue, Mar 8, 2011 at 11:03 AM, mayrojas <

Re: URL Filtering

Janardhan Meesala — Wed, 09 Mar 2011 05:23:28 GMT

Thanks for your response...

Here i want send my administrator traffic to the CSC where i want to do

configure everything(Content filtering, anto-spam) except URL blocking.

i think uderstood my problem.

And Finally, after entering licenses to my firewall how to take back-up of

licenses info for future reference.. Is it enoug to take sh run backup????

Regards,

MJR