cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


653
Views
20
Helpful
9
Replies
Beginner

URL filtering on 5505?

Can someone help me with a basic config to filter like cisco.com (or any of its pages) using a 5505?  I am trying to *block* this site.  Here is what I had from the URL filtering howto:

!
class-map inspection_default
match default-inspection-traffic
class-map type inspect http match-any block-url-class
match request header host regex block1
!
!
policy-map type inspect http block-url-policy
parameters
class block-url-class
  drop-connection log
policy-map global_policy
class inspection_default
  inspect http block-url-policy
!
service-policy global_policy global

I got an error initially about there being no inspection_default class so im not sure if I recreated it correctly/completely...

thanks!

1 ACCEPTED SOLUTION

Accepted Solutions
Contributor

Re: URL filtering on 5505?

this is a configuration I have tested:

regex block-url ".\myspace.\com"

class-map type regex match-any cm-block-url

match regex block-url

policy-map type inspect http pm-block-url

parameters

match request header host regex class cm-block-url

  drop-connection log

policy-map global_policy

class inspection_default

  inspect http pm-block-url

service-policy global_policy global

9 REPLIES 9
Contributor

Re: URL filtering on 5505?

can you paste the show run regex, show run class-map and show run policy-map?

Contributor

Re: URL filtering on 5505?

Contributor

Re: URL filtering on 5505?

this is a configuration I have tested:

regex block-url ".\myspace.\com"

class-map type regex match-any cm-block-url

match regex block-url

policy-map type inspect http pm-block-url

parameters

match request header host regex class cm-block-url

  drop-connection log

policy-map global_policy

class inspection_default

  inspect http pm-block-url

service-policy global_policy global

Beginner

Re: URL filtering on 5505?

Thanks Paul, I am trying your config but where you have:

class inspection_default

  inspect http pm-block-url

I do not see an "inspect" command to issue "inspect http"?

Contributor

Re: URL filtering on 5505?

clas inspectio_default comes by default on the ASA. In case you don't have it then you could add it manually. Here are the missing lines:

class-map inspection_default

match default-inspection-traffic

then make sure you add the rest of the commands I suggested.

Beginner

Re: URL filtering on 5505?

you:

regex block-url ".\myspace.\com"

class-map type regex match-any cm-block-url

match regex block-url

policy-map type inspect http pm-block-url

parameters

match request header host regex class cm-block-url

  drop-connection log

policy-map global_policy

class inspection_default

  inspect http pm-block-url

service-policy global_policy global

me (testing with pandora):

regex block1 ".\pandora.\com"

class-map inspection_default
match default-inspection-traffic

class-map type regex match-any block-url-class
match regex block1
!
!
policy-map type inspect http block-url-policy
parameters
match request header host regex class block-url-class
  drop-connection log
policy-map global_policy
class inspection_default
  inspect http block-url-policy
!
service-policy global_policy global


don't the !s indicate incomplete configurations?  Do you have those in your config?  If this looks good to you (looks good to me) I guess I am going to have to verify the user is testing from the right location..

Contributor

Re: URL filtering on 5505?

it doesn't mean incomplete.

Go ahead and test. It looks good your config.

Highlighted
Beginner

Re: URL filtering on 5505?

tried it on an ASA here and it worked like a charm, client finally got back to me and said he was testing from another site   Thanks for your help!  On a side note...if they ping the URL (and resolve the IP) and use the IP in their web browser they get around this...is there a way to do DNS filtering so that requests or responses for a given string are blocked?

Contributor

Re: URL filtering on 5505?

I am glad to hear that it worked. You can always block the IP for the unwanted websites but IPs usually change. If you want a better URL filtering mechanism you should consider the CSC-SSM for the ASA but in this case it will not work on you ASA 5505.