07-18-2013 10:34 AM - edited 03-11-2019 07:14 PM
Hello all,
We have a few VLANs that need to block all web access except for a few approved URLs. Little diagram never hurt.
Corp users should have full access to everything web. But the test lab only needs access to just a few 10 or so URLs. Here is what i have configured:
regex TL_URL1 "*\.google\.com"
regex TL_URL2 "www\.yahoo\.com"
class-map type inspect http match-all ALLOWED_URL_CMAP
match not request header host regex TL_URL1
match not request header host regex TL_URL2
access-list TL_URL_ACL extended permit tcp 192.168.1.0 255.255.255.0 any eq www
access-list TL_URL_ACL extended permit tcp 192.168.2.0 255.255.255.0 any eq www
access-list TL_URL_ACL extended permit tcp 192.168.3.0 255.255.255.0 any eq www
class-map TL_USER_CMAP
match access-list TL_URL_ACL
policy-map type inspect http ALLOWED_URL_PMAP
parameters
class ALLOWED_URL_CMAP
drop-connection
policy-map ALLOWED_TL_URL_PMAP
class TL_USER_CMAP
inspect http ALLOWED_URL_PMAP
service-policy ALLOWED_TL_URL_PMAP interface inside
The problem so far is when we apply the map, all web is blocked. What am i missing?
Thanks for the time and support,
Nick
07-18-2013 02:42 PM
If I'm reading your Class-Map correctly:
class-map type inspect http match-all ALLOWED_URL_CMAP
match not request header host regex TL_URL1
match not request header host regex TL_URL2
You are saying, match if the url does NOT match TL_URL1, (2, 3, 4, 5, etc...). The policy-map then states the traffic that matches should be dropped, which is all traffic that doesn't match.
I believe you want to set your class-map to "match-any" and your statemanets to "match request header host regex TL_URLx".
07-18-2013 04:37 PM
Thanks for your reply. I will try to play with the settings. But i based my configuration off this like here.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: