Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
659
Views
0
Helpful
2
Replies

ASA URL Filtering with MPF

nickhesson
Level 1
Level 1

‎07-18-2013 10:34 AM - edited ‎03-11-2019 07:14 PM

Hello all,

We have a few VLANs that need to block all web access except for a few approved URLs.  Little diagram never hurt.

URL issue.jpg

Corp users should have full access to everything web.  But the test lab only needs access to just a few 10 or so URLs.  Here is what i have configured:

regex TL_URL1 "*\.google\.com"

regex TL_URL2 "www\.yahoo\.com"

class-map type inspect http match-all ALLOWED_URL_CMAP

match not request header host regex TL_URL1

match not request header host regex TL_URL2

access-list TL_URL_ACL extended permit tcp 192.168.1.0 255.255.255.0 any eq www

access-list TL_URL_ACL extended permit tcp 192.168.2.0 255.255.255.0 any eq www

access-list TL_URL_ACL extended permit tcp 192.168.3.0 255.255.255.0 any eq www

class-map TL_USER_CMAP

match access-list TL_URL_ACL

policy-map type inspect http ALLOWED_URL_PMAP

parameters

  class ALLOWED_URL_CMAP

  drop-connection

policy-map ALLOWED_TL_URL_PMAP

class TL_USER_CMAP

  inspect http ALLOWED_URL_PMAP

service-policy ALLOWED_TL_URL_PMAP interface inside

The problem so far is when we apply the map, all web is blocked.  What am i missing?

Thanks for the time and support,

Nick

Labels:
0 Helpful
2 Replies 2

eddie.harmoush
Level 1
Level 1

‎07-18-2013 02:42 PM

If I'm reading your Class-Map correctly:

class-map type inspect http match-all ALLOWED_URL_CMAP

match not request header host regex TL_URL1

match not request header host regex TL_URL2

You are saying, match if the url does NOT match TL_URL1, (2, 3, 4, 5, etc...).  The policy-map then states the traffic that matches should be dropped, which is all traffic that doesn't match.

I believe you want to set your class-map to "match-any" and your statemanets to "match request header host regex TL_URLx".

0 Helpful

nickhesson
Level 1
Level 1
In response to eddie.harmoush

‎07-18-2013 04:37 PM

Thanks for your reply.  I will try to play with the settings.  But i based my configuration off this like here.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card