Showing results for 
Search instead for 
Did you mean: 

ASA 5505 configuration


I am new for configuring asa I want that my inside user only do browsing on internet and stop downloading any thing

pls give me step by step configuration for this task I am using asa 5505 and a 1800 series router for internet connectivity and 2960 switch for lan and I install asa between them

3 Replies 3

Hi Bro

Please paste in here your network diagram, that has IP Addresses/Subnetmasks as well? By the way, are you hosting any Web Servers on the LAN, whereby users from the Internet would need to access it? or is this setup similar to a typical Cybercafe, where by all access are from LAN to the Internet?

Warm regards,
Ramraj Sivagnanam Sivajanam



This is my first time doing this (url filtering and attempt to block user from downloading) for learning sake and for my future work with firewalls.

No one is an expert in using a product the first time, instead of asking for answers research it yourself first then post a question when you encounter problem in this way you will learn faster and remember quicker.'s my configuration which is not perfect but should work......

First if you have no idea how to start read my blog: to get your internet running first.

I use regular expression to group the file type exe, zip, tar, pdf, as long as in the url it contains this extension no matter which website the connection will be reset.

Create regex by searching for extension that ends with the ones stated above

regex ext-type1 ".*\.([Ee][Xx][Ee]|[Zz][Ii][Pp]|[Tt][Aa][Rr]|[Pp][Dd][Ff])"

Create regex that matches http headers with content-type application/(everything)

regex content-type "Content-Type"

!There are a lot of application such as application/pdf blah blah blah...the * is a wildcard that matches all.

regex app-header "application/.*"

Create class-map to group ext-types

class-map type regex match-any block-ext

match regex ext-type1

Actually you do not need to create a class-map for this, but using nested class-maps make your configuration more scalable (I say nested because this class-map will be used again within another class-map), next time if you need to add more extensions simply create another regex and match it within block-ext class-maps and your changes would take effect immediately with your new sets of extensions.

Create class-map to group http headers

class-map type inspect http match-all app-header-class

match response header regex content-type regex app-header

When inside host surf the web and request for to download app that matches application/* the response will be captured by the ASA. This configuration captures and groups the response.

Create class-map to group http request

class-map type inspect http match-all block-ext-class

match request uri regex class block-ext

Now this is the nested class-map, remember that i created another class-map known as block-ext? This configuration captures your inside host request and group them if it matches block-ext.

Create access-list and class-map to group http traffic only so that policy can be applied to these traffic.

access-list http-group extended permit tcp any any eq www

access-list http-group extended permit tcp any any eq 8080

class-map http-only

match access-list http-group

These are the interesting traffic which the policy be applied to.

Define http inspection policy

policy-map type inspect http http-inspection-policy


  protocol-violation action drop-connection log

class app-header-class

  drop-connection log

class block-ext-class

  reset log

These configurations are for policy creation, if http packet is malformed it will be drop and log, if matches the response app-header-class connection is dropped, if matches the request block-ext-class the connection is reset (i.e. user immediate sees page not found on his/her web browser)

Attached the policy into the interesting traffic

policy-map inside-http-policy

class http-only

  inspect http http-inspection-policy

Now the above policy creation will be applied to the interesting traffic.

Apply the policy into the inside interface

service-policy inside-http-policy interface inside

The above policy is not taken into effect until you applied to an interface.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: