topic Re: Deny HTTPS "CONNECT" to ip-base url @ ASA/FWSM in Network Security

Deny HTTPS "CONNECT" to ip-base url @ ASA/FWSM

hasmurizal — Mon, 11 Mar 2019 14:56:34 GMT

Dear All,

we are having problem as end users have a lot of spyware/walware and have illegal proxy install in the lan.

One of the idea is to deny HTTPS or "CONNECT" type http, at the "inside fwsm/asa" to any ip-base url destination. Since the ip-base url are random, maybe regex could help.

please advice us how to do it. thanks.

Re: Deny HTTPS "CONNECT" to ip-base url @ ASA/FWSM

vikram_anumukonda — Wed, 25 Feb 2009 11:57:09 GMT

Hi, could you explain what do you mean by an ip-base url ( does it mean users typing in the ip addresses in the browser instead of domain-name's. )

Re: Deny HTTPS "CONNECT" to ip-base url @ ASA/FWSM

hasmurizal — Thu, 26 Feb 2009 00:01:05 GMT

Hi Vikram,

yes, that's what i meant. (user's typing ip addresses instead of name addresses)

Re: Deny HTTPS "CONNECT" to ip-base url @ ASA/FWSM

vikram_anumukonda — Thu, 26 Feb 2009 05:17:22 GMT

Hi,

you can try this

#####################################

regex ipurl "\.[0-255]\.[0-255]\.[0-255]\.[0-255]"

class-map type regex match-any domain-list

match regex ipurl

class-map web

match port tcp eq www

policy-map type inspect http URL

parameters

match request header host regex class domain-list

drop-connection

policy-map global_policy

class web

inspect http URL

####################################

but if you are looking to filter https , you will have to go for a external url filtering server.

Hoping this is what you are looking for.

-vikram

Re: Deny HTTPS "CONNECT" to ip-base url @ ASA/FWSM

hasmurizal — Thu, 26 Feb 2009 05:39:51 GMT

nice...

~~~~~~~~~~~~~~~~~~~~~

class-map web

match port tcp eq www

~~~~~~~~~~~~~~~~~~~~~

for this portion, can we replace www with 443 ?

Re: Deny HTTPS "CONNECT" to ip-base url @ ASA/FWSM

vikram_anumukonda — Thu, 26 Feb 2009 05:44:16 GMT

it wouldn't work if you replace "www" with "443" because the traffic is encrypted , for this very reason you will have to opt for an external URL filtering server.

I tried it once with 443 and it didn't work. You can give it a shot though.

Vikram

Re: Deny HTTPS "CONNECT" to ip-base url @ ASA/FWSM

vikram_anumukonda — Thu, 26 Feb 2009 09:42:52 GMT

the regex in my earlier reply is horribly wrong ,

will post a reply as soon as i have an accurate one

-Vikram

Re: Deny HTTPS "CONNECT" to ip-base url @ ASA/FWSM

vikram_anumukonda — Thu, 26 Feb 2009 10:57:02 GMT

Hi,

the below regex will match anything but numbers in the host-header (http://<>/index.html - basically the address typed in by the user )

and the below code would drop the http connection as long as there is no a-z or A-Z in the host-header ( which is basically only numbers in the host-header )

#########################################

regex ipurl "[a-zA-Z]+"

class-map type regex match-any domain-list

match regex ipurl

class-map web

match port tcp eq www

policy-map type inspect http URL

parameters

match not request header host regex class domain-list

drop-connection

policy-map global_policy

class web

inspect http URL

##########################################

I really hope this is helpful to you.

-Vikram

Re: Deny HTTPS "CONNECT" to ip-base url @ ASA/FWSM

hasmurizal — Thu, 26 Feb 2009 12:07:18 GMT

hi.

thanks for the info. appreaciate the help that i received.

anyway, the real problem is due to this software which can bypass content filtering and firewall configuration. http://www.ultrareach.net/

on the content filtering server, we have manage it by applying deny "connect" regex ip addresses url. so i was thinking if there is anyway we can eliminate it on fwsm in case if the lan do not have content filtering servers.

i will check in the near future as i dont have any spare asa for now, and i will responce for any update later. thank you