09-18-2007 04:24 AM - edited 03-11-2019 04:12 AM
Hi,
I am attempting to implement a basic URL filtering setup - without
WebSense as the requirements are pretty static.
Basically I want to allow certain inside host access to only a select
list of URL's. This docs show how in a round about fashion:
When I apply the below config the hosts with restricted Internet
access can't get to the two URL's allowed. I suspect the problem is
that my regular expressions don't seem to match as the ASA is seeing
(well is logging anyway) http://203.36.59.1/blah.... rather than
http://www.yellowpages.com.au/blah...
Example from the log:
Sep 14 2007 10:54:01: %ASA-5-304001: 192.168.101.88 Accessed URL
38.96.182.20:/mb/text_group.php?sid=218169&zs=3732385f3930
I would have thought that the unresolved hostname would be logged
rather than the IP. Not sure if this is my problem but is the theory
at present. Anyone done this before? Turned on DNS on the ASA, still
no good.
Maybe the Plus license is needed for this feature?
Parts of the config:
regex YELLOWPAGES "*yellowpages.com.au"
regex WHITEPAGES "*whitepages.com.au"
access-list INTERNET-RESTRICTED remark Hosts that have restricted
Internet access
access-list INTERNET-RESTRICTED extended permit ip host
192.168.101.110 any
access-list INTERNET-RESTRICTED remark Head Office LAN has open
Internet access
access-list INTERNET-RESTRICTED extended deny ip 192.168.101.0
255.255.255.0 any
access-list INTERNET-RESTRICTED remark Shops have restricted Internet
access
access-list INTERNET-RESTRICTED extended permit ip 192.168.0.0
255.255.0.0 any
!
class-map type regex match-any RESTRICTED-URL
match regex YELLOWPAGES
match regex WHITEPAGES
class-map type inspect http match-all INTERNET-RESTRICTED-SITES
match not request uri regex class RESTRICTED-URL
class-map inspection_default
match default-inspection-traffic
class-map INTERNET-RESTRICTED
match access-list INTERNET-RESTRICTED
!
!
policy-map type inspect http POLICY-INTERNET-RESTRICTED
parameters
class INTERNET-RESTRICTED-SITES
drop-connection log
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 2048
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect pptp
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect http
inspect snmp
inspect esmtp
policy-map INTERNET-OUTBOUND
class INTERNET-RESTRICTED
inspect http POLICY-INTERNET-RESTRICTED
!
service-policy global_policy global
service-policy INTERNET-OUTBOUND interface inside
09-18-2007 05:00 AM
You must use another class for doing this.
match not request header host regex RESTRICTED-URL
09-18-2007 06:29 PM
Thanks. This seems to work.
This is not at all mentioned in any of the doco on cisco.com. The command lookup tool doesn't even have anything on the "host" option.
09-18-2007 08:39 PM
uri never contains host's name.
Use some sniffer for better understanding.
If you find posts helpful rate it
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: