Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3849
Views
0
Helpful
2
Replies

asa 5510 url filtering

Go to solution
Helmeczi Zoltan
Level 1
Level 1

‎02-22-2011 04:30 AM - edited ‎03-11-2019 12:54 PM

Hi all,

I have a problem with url filtering.

i can't configure the asa to allow only maps.google.com for a specific subset of users and allow all websites for the rest.

the goal is if 192.168.3.2 can reach only maps.google.com and the all of other host (example in another subnets, if i apply the service-policy on the outside interface) have unrestricted access.

i tried this config but don't works:

regex allow \maps.google.com

access-list user-acl extended permit tcp host 192.168.3.2 any eq www

class-map type inspect http match-any block-url-class

match not request header host regex allow

class-map block-user-class

match access-list user-acl

policy-map type inspect http block-url-policy

parameters

class block-url-class

  drop-connection

policy-map block-user-url-policy

class block-user-class

  inspect http block-url-policy

service-policy block-user-url-policy interface inside

Please help me fix this problem.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mirober2
Cisco Employee
Cisco Employee

‎02-22-2011 05:52 AM

Hi Helmeczi,

I tested this config and it worked according to your requirements:

regex maps "maps\.google\.com"
!
access-list user-acl extended permit tcp host 192.168.3.2 any eq www
!
class-map type inspect http match-all block-url-class
 match not request header host regex maps
class-map block-user-class
 match access-list user-acl
!
policy-map type inspect http block-url-policy
 parameters
 class block-url-class
  drop-connection
policy-map block-user-url-policy
 class block-user-class
  inspect http block-url-policy
!
service-policy block-user-url-policy interface inside

The only difference I see is the 'regex' line, so try adjusting that first. If that still doesn't work, please let us know specifically what scenario is not working in your setup.

-Mike

View solution in original post

0 Helpful
2 Replies 2

Go to solution
mirober2
Cisco Employee
Cisco Employee

‎02-22-2011 05:52 AM

Hi Helmeczi,

I tested this config and it worked according to your requirements:

regex maps "maps\.google\.com"
!
access-list user-acl extended permit tcp host 192.168.3.2 any eq www
!
class-map type inspect http match-all block-url-class
 match not request header host regex maps
class-map block-user-class
 match access-list user-acl
!
policy-map type inspect http block-url-policy
 parameters
 class block-url-class
  drop-connection
policy-map block-user-url-policy
 class block-user-class
  inspect http block-url-policy
!
service-policy block-user-url-policy interface inside

The only difference I see is the 'regex' line, so try adjusting that first. If that still doesn't work, please let us know specifically what scenario is not working in your setup.

-Mike

0 Helpful

Go to solution
Helmeczi Zoltan
Level 1
Level 1
In response to mirober2

‎02-23-2011 12:24 AM

Hi Mirober2,

Thank's for your help. it was solved the problem

I tried what if i apply the service policy on outside interface, but then all host reached all websites. so for something that is bad.

But then i apply on global mode and this was the best for me.

regex maps "maps\.google\.com"

!

access-list user-acl extended permit tcp host 192.168.3.2 any eq www

!

class-map type inspect http match-all block-url-class

match not request header host regex maps

class-map block-user-class

match access-list user-acl

!

policy-map type inspect http block-url-policy

parameters

class block-url-class

  drop-connection

policy-map global_policy

class block-user-class

  inspect http block-url-policy

service-policy global_policy global

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card