I am attempting to implement a basic URL filtering setup - without
WebSense as the requirements are pretty static.
Basically I want to allow certain inside host access to only a select
list of URL's. This docs show how in a round about fashion:
When I apply the below config the hosts with restricted Internet
access can't get to the two URL's allowed. I suspect the problem is
that my regular expressions don't seem to match as the ASA is seeing
(well is logging anyway) http://220.127.116.11/blah.... rather than
Example from the log:
Sep 14 2007 10:54:01: %ASA-5-304001: 192.168.101.88 Accessed URL
I would have thought that the unresolved hostname would be logged
rather than the IP. Not sure if this is my problem but is the theory
at present. Anyone done this before? Turned on DNS on the ASA, still
Maybe the Plus license is needed for this feature?
Parts of the config:
regex YELLOWPAGES "*yellowpages.com.au"
regex WHITEPAGES "*whitepages.com.au"
access-list INTERNET-RESTRICTED remark Hosts that have restricted
access-list INTERNET-RESTRICTED extended permit ip host
access-list INTERNET-RESTRICTED remark Head Office LAN has open
access-list INTERNET-RESTRICTED extended deny ip 192.168.101.0
access-list INTERNET-RESTRICTED remark Shops have restricted Internet
access-list INTERNET-RESTRICTED extended permit ip 192.168.0.0
class-map type regex match-any RESTRICTED-URL
match regex YELLOWPAGES
match regex WHITEPAGES
class-map type inspect http match-all INTERNET-RESTRICTED-SITES
match not request uri regex class RESTRICTED-URL
match access-list INTERNET-RESTRICTED
policy-map type inspect http POLICY-INTERNET-RESTRICTED
policy-map type inspect dns migrated_dns_map_1
message-length maximum 2048
inspect dns migrated_dns_map_1
inspect h323 h225
inspect h323 ras
inspect http POLICY-INTERNET-RESTRICTED
service-policy global_policy global
service-policy INTERNET-OUTBOUND interface inside
Thanks. This seems to work.
This is not at all mentioned in any of the doco on cisco.com. The command lookup tool doesn't even have anything on the "host" option.