topic Re: URL Filtering - Command Line Issues in Network Security

URL Filtering - Command Line Issues

jrennard3 — Mon, 11 Mar 2019 19:28:00 GMT

Hello - I'm a complete novice when it comes to configuring via the command line, but I am trying my best to learn. We have a Cisco ASA 5505 and would like to configure it using a Cisco provided solution for URL filtering. At this moment we only have one URL that we need to filter, but access needs to be permitted for certain computers and disallowed for the rest.

The commands that were give are as follows:

regex blockex1 "facebook\.com"

access-list user-acl extended deny tcp host 10.10.2.100 any eq www

access-list user-acl extended permit tcp any any eq www

class-map type inspect http match-any block-url-class

match request header host regex blockfb

class-map block-user-class

match access-list user-acl

policy-map type inspect http block-url-policy

parameters

class block-url-class

drop-connection

policy-map block-user-url-policy

class block-user-class

inspect http block-url-policy

service-policy block-user-url-policy interface inside

First - I don't understand why they would put the IP that should be allowed to access the restricted URL in a access list labeled as 'deny'. Secondly, when I try to run the second set of commands:

class-map type inspect http match-any block-url-class

match request header host regex blockfb

They will not run via command line or via the CLI in ASDM. It gives me unrecognized or invalid input detected error. The second class-map command ran perfectly fine.

I suppose a problem of mine may be that I do not understand how to handle the indentation of commands. For example, we have

class-map type inspect http match-any block-url-class

match request header host regex blockfb

Do I need to enter each line individually or is the 'match...' line supposed to be immediately following the first line on the same command line?

If you are able to help in any way it would be greatly appreciated. Thanks!

Re: URL Filtering - Command Line Issues

Kureli Sankar — Mon, 27 Dec 2010 18:26:29 GMT

First - I don't understand why they would put the IP that should be allowed to access the restricted URL in a access list labeled as 'deny'. Secondly, when I try to run the second set of commands:

You need a "deny" because only then that traffic will be "denied" from being inspected and then blocked when going to facebook.

class-map type inspect http match-any block-url-class

match request header host regex blockfb

Where does it give you the invalid input detected? You would see a ^ where do you see that? Pls. get on CLI and do a conf t and copy and paste these lines and copy and paste the output that you are seeing. I added a sample in this document a while ago. See if this helps you.

https://supportforums.cisco.com/docs/DOC-1268#Same_domain_allowdeny

-KS

Re: URL Filtering - Command Line Issues

jrennard3 — Mon, 27 Dec 2010 18:35:54 GMT

Thanks for the response - the document you attached is the exact one that I am using. When I am connected via CLI, I am running under the enabled configuration. Is this correct? Also, I am using Putty and SSH. Should I be connecting a different way?

Here is the response I receive:

ciscoasa(config)# class-map type inspect http match-any block-url-class

ERROR: % Invalid input detected at '^' marker.

Re: URL Filtering - Command Line Issues

jrennard3 — Mon, 27 Dec 2010 18:42:21 GMT

Seems that the forum formatted my error incorrectly - the '^' is actually right under the 'b' in 'block-ur

l-class'.

Re: URL Filtering - Command Line Issues

Kureli Sankar — Mon, 27 Dec 2010 18:50:43 GMT

I added the very last section in that link. I didn't have a problem when I copied and pasted the line that gave you trouble.

Anyway the below is what you need. You can pretty much copy and paste the below lines. Let me know if this works to block facebook except for this IP add 10.10.2.100.

access-list user-acl extended deny tcp host 10.10.2.100 any eq www

access-list user-acl extended permit tcp any any eq www

regex block-fb ".*facebook\.com"
class-map type regex match-any block-fb
match regex block-fb

policy-map type inspect http http-inspect-pol
   parameters
match request header host regex class block-fb
    reset log

class-map http-class
   match access-list user-acl

policy-map http-traffic
   class http-class
    inspect http http-inspect-pol
!
service-policy http-traffic interface inside

-KS