02-08-2012 04:30 PM - edited 03-11-2019 03:26 PM
Hi Experts ,
I have come across articles mentioning that URL Filtering can be implemented by using ASA 5505 with URL Filtering Servers. But Websense and other Web Filtering Servers are paid ones ? Are there any free solutions available ? What exactly is N2H2 ? The reason is I don 't want to increase the CPU utilization of ASA by implementing URL filtering within the device. If I have around 30 nodes which connects to the internet via a 2Mbps line through ASA 5505 and if I want to block around say 10 or 15 URLs , will it increase CU utilization beyond permissible limits ? Currently the CPU Utilization is around 10 - 15 . Here's the infrastructure setup . Please help
------------------------------------------------------------
Nodes -->Switches-->ASA 5505-->Internet
-------------------------------------------------------------
Many Thanks ,
Anup
Solved! Go to Solution.
02-09-2012 01:12 AM
Hi Anup,
A simple test can be perform to filter URL via the ASA configuration only. You can try for a short period in order to see the increase CPU's utilization, if it's too much then you can remove your modification.
Below a simple description of the configuration you can impletment.
Vincent
1. Implementing White list
! defining the URL to filter
regex UBI-URL1 "yahoo.com"
regex UBI-URL2 "ubiqube.com"
! grouping url in one object
class-map type regex match-any UBI-URL-LIST
match regex UBI-URL1
match regex UBI-URL2
! specified the matching traffic to block
class-map type inspect http match-all UBI-HTTP-MAP
match no request header host regex class UBI-URL-LIST
! declare action to matching traffic
policy-map type inspect http UBI-HTTP-INSPECT
class UBI-HTTP-MAP
reset log
!applying the inspection
policy-map global_policy
class inspection_default
inspect http UBI-HTTP-INSPECT
OR
2. Implementing black list
! defining the URL to filter
regex UBI-URL1 "yahoo.com"
regex UBI-URL2 "ubiqube.com"
! grouping url in one object
class-map type regex match-any UBI-URL-LIST
match regex UBI-URL1
match regex UBI-URL2
! specified the matching traffic to block
class-map type inspect http match-all UBI-HTTP-MAP
match request header host regex class UBI-URL-LIST
! declare action to matching traffic
policy-map type inspect http UBI-HTTP-INSPECT
class UBI-HTTP-MAP
reset log
!applying the inspection
policy-map global_policy
class inspection_default
inspect http UBI-HTTP-INSPECT
3. Monitore the result via the logs
URL accessed
07-10-10 08:16:27 5 %ASA-5-304001: 10.10.10.10 Accessed URL 213.30.157.8:/page.php?2
URL Blocked
07-10-10 08:16:52 5 %ASA-5-415008: HTTP - matched Class 22: UBI-HTTP-MAP in policy-map UBI-HTTP-inspect, header matched - Resetting connection from inside:10.10.10.10/1423 to outside: 209.85.135.103/80
02-08-2012 08:02 PM
Hi Anup,
Iam not an expert in this, but try to fill in some info for you. N2H2 is Cisco IOS supported URL filtering s/w which sits on seperate server like websense. Websense work with ASAs. Iam not quite sure if N2H2 works with ASA. Please check the below link..
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t15/feature/guide/ft_n2h2.html
As far as free s/w for URL filtering - you may be able to find couple (google for the same) but personally, I never rely on the free stuff when comes to firm security.
hth
MS
EDIT: Just read in another posting that both Websense & N2H2 are supported.
02-10-2012 04:15 PM
Hi MS ,
Thank you very much for the information . I think I would better go for a configuring URL Filtering iniside the ASA itself ( Sure keeping an eye on the CPU Utilization ! ) or paid URL Filtering Server like Websense or McAfee Smartfilter (http://www.mcafee.com/us/products/smartfilter.aspx) considering firm security .
I also came across another discussion regarding the same where it says you PROBABLY can get the same by configuring a Squid proxy with Cisco Router via WCCP. ( https://supportforums.cisco.com/thread/224575)
Many Thanks,
Anup
02-09-2012 01:12 AM
Hi Anup,
A simple test can be perform to filter URL via the ASA configuration only. You can try for a short period in order to see the increase CPU's utilization, if it's too much then you can remove your modification.
Below a simple description of the configuration you can impletment.
Vincent
1. Implementing White list
! defining the URL to filter
regex UBI-URL1 "yahoo.com"
regex UBI-URL2 "ubiqube.com"
! grouping url in one object
class-map type regex match-any UBI-URL-LIST
match regex UBI-URL1
match regex UBI-URL2
! specified the matching traffic to block
class-map type inspect http match-all UBI-HTTP-MAP
match no request header host regex class UBI-URL-LIST
! declare action to matching traffic
policy-map type inspect http UBI-HTTP-INSPECT
class UBI-HTTP-MAP
reset log
!applying the inspection
policy-map global_policy
class inspection_default
inspect http UBI-HTTP-INSPECT
OR
2. Implementing black list
! defining the URL to filter
regex UBI-URL1 "yahoo.com"
regex UBI-URL2 "ubiqube.com"
! grouping url in one object
class-map type regex match-any UBI-URL-LIST
match regex UBI-URL1
match regex UBI-URL2
! specified the matching traffic to block
class-map type inspect http match-all UBI-HTTP-MAP
match request header host regex class UBI-URL-LIST
! declare action to matching traffic
policy-map type inspect http UBI-HTTP-INSPECT
class UBI-HTTP-MAP
reset log
!applying the inspection
policy-map global_policy
class inspection_default
inspect http UBI-HTTP-INSPECT
3. Monitore the result via the logs
URL accessed
07-10-10 08:16:27 5 %ASA-5-304001: 10.10.10.10 Accessed URL 213.30.157.8:/page.php?2
URL Blocked
07-10-10 08:16:52 5 %ASA-5-415008: HTTP - matched Class 22: UBI-HTTP-MAP in policy-map UBI-HTTP-inspect, header matched - Resetting connection from inside:10.10.10.10/1423 to outside: 209.85.135.103/80
02-10-2012 04:27 PM
Hi Vincent,
Thank you very much for the configuration examples . It was indeed very helpful ! The CPU utilization is a major concern as I have read many posts which mentions since packet inspection is a CPU intensive operation , it can make the CPU utilization go high . But anyway considering the amount of traffic and no . of URLs that needs to be blocked I will do the configuration on the ASA and closely monitor the CPU utilization .
Many Thanks ,
Anup
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide