ASA 5505 - How to allow a server access to ONLY one URL?

rickpo12-cisco · ‎12-05-2012

Thank you in advance.

I have an application on a server in our DMZ that I want to restrict access to only allow it to send http request to www.google.com/recaptcha/api/verify. I have been playing around with regular expressions and Inpect Maps, but so far I have not obtain the magic combination to make this work. So my question to this group is as follows:

Server name : Sleepy

url to ALLOW: www.google.com/recaptcha/api/verify

I have created a network object for Sleepy with its IP address.

What are the steps, only using the basic features of the ASA 5505, (Not using URL Filtering Servers), to ONLY allow SLEEPY to make http requests to the recaptcha url?

Thank you again.

Rick

Jennifer Halim · ‎12-10-2012

Here you go:

regex domainGoogle "www\.google\.com\/recaptcha\/api\/verify"

access-list sleepy-google permit tcp host any eq 80

class-map type regex match-any GoogleCM

match regex domainGoogle

class-map httptraffic

match access-list sleepy-google

policy-map type inspect http http_inspection_policy

class GoogleCM

log

policy-map dmz-policy

class httptraffic

inspect http http_inspection_policy

service-policy dmz-policy interface dmz

This wouldn't work however if Google captcha verify page uses HTTPS (as HTTPS is encrypted session and the URL is encrypted within the HTTP), hence won't be able to use REGEX to allow it through.