Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
608
Views
0
Helpful
3
Replies

ASA Urlfiltering Multiple Classes

Steven Mills
Level 1
Level 1

‎06-22-2011 05:26 AM - edited ‎03-11-2019 01:48 PM

Hello,

I am trying to configure an ASA 5510 so that it performs URL filtering for two different subnets, the Head Office subnet should just block facebook and myspace and the stores group should only be allowed access to the cisco website and wikipedia. I have the following configuration:

regex STORE-URL-REGEX1 "\.cisco\.com"

regex STORE-URL-REGEX2 "\.wikipedia\.com"

regex HO-URL-REGEX0 "\.facebook\.com"

regex HO-URL-REGEX1 "\.myspace\.com"

!

access-list HO-URLFILTER-ACL extended permit tcp 10.0.0.0 255.255.255.0 any eq www

access-list STORE-URLFILTER-ACL extended permit tcp 192.168.254.0 255.255.255.0 any eq www

!

class-map HO-URLFILTER-CLASS

match access-list HO-URLFILTER-ACL

class-map STORE-URLFILTER-CLASS

match access-list STORE-URLFILTER-ACL

!

class-map type inspect http match-any HO-URLFILTER-REGEX-CLASS

match request header host regex HO-URL-REGEX0

match request header host regex HO-URL-REGEX1

!

class-map type regex match-any SITE-BLOCKED-REGEX-URLS

match regex STORE-URL-REGEX0

match regex STORE-URL-REGEX1

!

class-map type inspect http match-any STORE-URLFILTER-REGEX-CLASS

match not request header host regex class SITE-BLOCKED-REGEX-URLS

!

policy-map type inspect http HO-HTTP-URLFILTER-POLICY

parameters

class HO-URLFILTER-REGEX-CLASS

  drop-connection log

policy-map type inspect http STORE-HTTP-URLFILTER-POLICY

parameters

class STORE-URLFILTER-REGEX-CLASS

  drop-connection log

!

policy-map global_policy

class HO-URLFILTER-CLASS

  inspect http HO-HTTP-URLFILTER-POLICY

class STORE-URLFILTER-CLASS

  inspect http STORE-HTTP-URLFILTER-POLICY

The config works perfectly individually, my issue is that only the first class (either HO-URLFILTER-CLASS or STORE-URLFILTER-CLASS) in the global_policy policy-map matches and is inspected. The class below it doesn't work unless I change the order in the policy map.

Is there anything I can do to make this work as I described?

Thanks for any help.

Labels:
0 Helpful
3 Replies 3

Kureli Sankar
Cisco Employee
Cisco Employee

‎06-22-2011 06:40 AM

Steve,

How about you configure a new policy-map and apply it on the inside interface for one class-map and leave the other in the global policy?

-KS

0 Helpful

Steven Mills
Level 1
Level 1
In response to Kureli Sankar

‎06-22-2011 01:31 PM

I have currently kludged it by applying the Head Office blocking on a 2821 router that is also in the path but is the method I have used with multiple class maps meant to work or can you apply multiple policy-maps to an interface, for instance if I wanted to filter three groups? It is running an older software revision, could it be a bug or is this excpected behaviour?

Thanks.

0 Helpful

praprama
Cisco Employee
Cisco Employee
In response to Steven Mills

‎06-29-2011 02:02 PM

Hi Steve,

The configuration looks good and ideally should work. Based on your description, the behavior does look out of the normal. One thing i would like you to try is instead of applying the 2 class-maps to the global_policy, try appling them to the interface on which the packets come in to the ASA. If you do this, do you still see the same behavior?

It may be worth running a few debugs and getting a few captures as well as debugs to see what exactly is going on. Before we go to that, let me know what happens with the interface specific plicy.

Regards,

Prapanch

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card