We have a few VLANs that need to block all web access except for a few approved URLs. Little diagram never hurt.
Corp users should have full access to everything web. But the test lab only needs access to just a few 10 or so URLs. Here is what i have configured:
regex TL_URL1 "*\.google\.com"
regex TL_URL2 "www\.yahoo\.com"
class-map type inspect http match-all ALLOWED_URL_CMAP
match not request header host regex TL_URL1
match not request header host regex TL_URL2
access-list TL_URL_ACL extended permit tcp 192.168.1.0 255.255.255.0 any eq www
access-list TL_URL_ACL extended permit tcp 192.168.2.0 255.255.255.0 any eq www
access-list TL_URL_ACL extended permit tcp 192.168.3.0 255.255.255.0 any eq www
match access-list TL_URL_ACL
policy-map type inspect http ALLOWED_URL_PMAP
inspect http ALLOWED_URL_PMAP
service-policy ALLOWED_TL_URL_PMAP interface inside
The problem so far is when we apply the map, all web is blocked. What am i missing?
Thanks for the time and support,
If I'm reading your Class-Map correctly:
You are saying, match if the url does NOT match TL_URL1, (2, 3, 4, 5, etc...). The policy-map then states the traffic that matches should be dropped, which is all traffic that doesn't match.
I believe you want to set your class-map to "match-any" and your statemanets to "match request header host regex TL_URLx".