cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
11052
Views
5
Helpful
4
Replies

ASA 5505 URL Filtering using URL Filtering Server

Anup Sasikumar
Level 1
Level 1

Hi Experts ,

I have come across articles mentioning that URL  Filtering can be implemented by using ASA 5505 with URL Filtering  Servers. But Websense and other Web Filtering Servers are paid ones ?  Are there any free solutions available ? What exactly is N2H2 ? The  reason is I don 't want to increase the CPU utilization of ASA by  implementing URL filtering within the device. If I have around 30 nodes  which connects to the internet via a 2Mbps line through ASA 5505 and if I  want to block around say 10 or 15 URLs , will it increase CU  utilization beyond permissible limits ? Currently the CPU Utilization is  around 10 - 15 . Here's the infrastructure setup . Please help

------------------------------------------------------------

Nodes -->Switches-->ASA 5505-->Internet

-------------------------------------------------------------

Many Thanks ,

Anup

Regards,
Anup
1 Accepted Solution

Accepted Solutions

vincent.monnier
Level 1
Level 1

Hi Anup,

A simple test can be perform to filter URL via the ASA configuration only. You can try for a short period in order to see the increase CPU's utilization, if it's too much then you can remove your modification.

Below a simple description of the configuration you can impletment.

Vincent

1. Implementing White list

! defining the URL to filter

regex UBI-URL1 "yahoo.com"

regex UBI-URL2 "ubiqube.com"

! grouping url in one object

class-map type regex match-any UBI-URL-LIST 

match regex UBI-URL1

match regex UBI-URL2

! specified the matching traffic to block

class-map type inspect http match-all UBI-HTTP-MAP

   match no request header host regex class UBI-URL-LIST 

! declare action to matching traffic

policy-map type inspect http UBI-HTTP-INSPECT

class UBI-HTTP-MAP

   reset log

!applying the inspection

policy-map global_policy

  class inspection_default

   inspect http UBI-HTTP-INSPECT

OR

2. Implementing black list

  ! defining the URL to filter

regex UBI-URL1 "yahoo.com"

regex UBI-URL2 "ubiqube.com"

! grouping url in one object

class-map type regex match-any UBI-URL-LIST 

match regex UBI-URL1

match regex UBI-URL2

! specified the matching traffic to block

class-map type inspect http match-all UBI-HTTP-MAP

   match request header host regex class UBI-URL-LIST 

! declare action to matching traffic

policy-map type inspect http UBI-HTTP-INSPECT

class UBI-HTTP-MAP

  reset log

!applying the inspection

policy-map global_policy

  class inspection_default

   inspect http UBI-HTTP-INSPECT

3. Monitore  the result via the logs

URL accessed

07-10-10 08:16:27 5 %ASA-5-304001: 10.10.10.10 Accessed URL 213.30.157.8:/page.php?2

URL Blocked

07-10-10 08:16:52 5 %ASA-5-415008: HTTP - matched Class 22: UBI-HTTP-MAP in policy-map UBI-HTTP-inspect, header matched - Resetting connection from inside:10.10.10.10/1423 to outside: 209.85.135.103/80

View solution in original post

4 Replies 4

mvsheik123
Level 7
Level 7

Hi Anup,

Iam not an expert in this, but try to fill in some info for you. N2H2 is Cisco IOS supported URL filtering s/w which sits on seperate server like websense. Websense work with ASAs. Iam not quite sure if N2H2 works with ASA. Please check the below link..

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t15/feature/guide/ft_n2h2.html

As far as free s/w for URL filtering - you may be able to find couple (google for the same) but personally, I never rely on the free stuff when comes to firm security.

hth

MS

EDIT: Just read in another posting that both Websense & N2H2 are supported.

Hi MS ,

Thank you very much for the information . I think I would better go for a configuring URL Filtering iniside the ASA itself ( Sure keeping an eye on the CPU Utilization ! ) or paid URL Filtering Server like Websense or McAfee Smartfilter (http://www.mcafee.com/us/products/smartfilter.aspx) considering firm security .

I also came across another discussion regarding the same where it says you PROBABLY can get the same by configuring a Squid proxy with Cisco Router via WCCP. ( https://supportforums.cisco.com/thread/224575)

Many Thanks,

Anup

Regards,
Anup

vincent.monnier
Level 1
Level 1

Hi Anup,

A simple test can be perform to filter URL via the ASA configuration only. You can try for a short period in order to see the increase CPU's utilization, if it's too much then you can remove your modification.

Below a simple description of the configuration you can impletment.

Vincent

1. Implementing White list

! defining the URL to filter

regex UBI-URL1 "yahoo.com"

regex UBI-URL2 "ubiqube.com"

! grouping url in one object

class-map type regex match-any UBI-URL-LIST 

match regex UBI-URL1

match regex UBI-URL2

! specified the matching traffic to block

class-map type inspect http match-all UBI-HTTP-MAP

   match no request header host regex class UBI-URL-LIST 

! declare action to matching traffic

policy-map type inspect http UBI-HTTP-INSPECT

class UBI-HTTP-MAP

   reset log

!applying the inspection

policy-map global_policy

  class inspection_default

   inspect http UBI-HTTP-INSPECT

OR

2. Implementing black list

  ! defining the URL to filter

regex UBI-URL1 "yahoo.com"

regex UBI-URL2 "ubiqube.com"

! grouping url in one object

class-map type regex match-any UBI-URL-LIST 

match regex UBI-URL1

match regex UBI-URL2

! specified the matching traffic to block

class-map type inspect http match-all UBI-HTTP-MAP

   match request header host regex class UBI-URL-LIST 

! declare action to matching traffic

policy-map type inspect http UBI-HTTP-INSPECT

class UBI-HTTP-MAP

  reset log

!applying the inspection

policy-map global_policy

  class inspection_default

   inspect http UBI-HTTP-INSPECT

3. Monitore  the result via the logs

URL accessed

07-10-10 08:16:27 5 %ASA-5-304001: 10.10.10.10 Accessed URL 213.30.157.8:/page.php?2

URL Blocked

07-10-10 08:16:52 5 %ASA-5-415008: HTTP - matched Class 22: UBI-HTTP-MAP in policy-map UBI-HTTP-inspect, header matched - Resetting connection from inside:10.10.10.10/1423 to outside: 209.85.135.103/80

Hi Vincent,

Thank you very much for the configuration examples . It was indeed very helpful ! The CPU utilization is a major concern as I have read many posts which mentions since packet inspection is a CPU intensive operation , it can make the CPU utilization go high . But anyway considering the amount of traffic and no . of URLs that needs to be blocked I will do the configuration on the ASA and closely monitor the CPU utilization .

Many Thanks ,

Anup

Regards,
Anup
Review Cisco Networking for a $25 gift card