08-03-2011 10:08 AM - edited 03-11-2019 02:07 PM
How can I filter my local lan's URL requests? Is it possible to have some sort of list like...
Default_User_Group
*.microsoft.com/*
*.mydomain.com
*.google.com
Then only allow certain ip's access to the entire internet like this...
Internet_User_Group
*
It would be nice to possibly be able to add the rules to users in my domain, then associate the domain account with an IP OR have them login to view webpages.
Solved! Go to Solution.
08-08-2011 06:50 AM
In Step 2 you defined the regex.
In Step 3c you define if your inspection should "trigger" if the Regex matches or does not match.
Step 5 defines the ACL, meaning if Source to Destination via Protocol matches (or does not match, in your case it should match), inspect the traffic.
08-04-2011 02:24 AM
8.4.2 comes with the new User-Identity FW function.
Try looking it up on cisco.
Basically it's about fetching Groups and Users from an AD over an AD-Agent and apply ACE rules to them.
For exampe you can create a rule like "User Mark is allowed to access the company's network, but not the internet" and regardless from where Mark is connected to the network this rule will be applied by help of AD and IP-mapping through the AD Agent.
08-04-2011 10:12 AM
So it can do what I want tho? I don't just want to block users from the internet, I want to control what sites they visit...
That's my main objective... Ident by AD would come later
08-05-2011 01:06 AM
You can block them by using Regex along with HTTP inspection.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940e04.shtml
08-05-2011 09:24 AM
That's EXACTLY what page I read over and EXACTLY what I tried and got to work... But the problem I had with that was that artical was made to block CERTIN sites.
I want to block ALL sites and ALLOW certin sites. I kinda want to do the reverse.
08-08-2011 12:47 AM
Approach it like this:
Define which websites (that you want to allow access to) to be inspected with a Inspection Policy.
Instead of "match" you can use "match not", so any website you have NOT specified with regex will be blocked.
08-08-2011 05:30 AM
Thanks for the response Tim! Yea that's the first thing I tried doing too hehe. I never could get it to work though. At what step in that article do I need to set the "Do not match" flag instead of the "Match" one? (BTW I'm trying to learn more about the ASDM so I'm trying to do all the config on it as opposed to the CLI) So witch step or (STEPS?) do I need to change that on from the article? There are quite a few places that get you to set it to "Match" (Example Step 5a "HTTP Traffic" - sub step c).
08-08-2011 06:50 AM
In Step 2 you defined the regex.
In Step 3c you define if your inspection should "trigger" if the Regex matches or does not match.
Step 5 defines the ACL, meaning if Source to Destination via Protocol matches (or does not match, in your case it should match), inspect the traffic.
08-11-2011 08:13 AM
I'm trying to just work with blocking or allowing domin names in general so I'm not doing steps like steps 3c (see note below). I'm doing steps like step 3b. That's where I would choose "Match Type" = "No Match" correct?
Note:
Steps I skip our are as follows...
1.b
1.c
1.d
1.e
1.f
1.g
2.b
3.c
4.e
5.b.*
08-11-2011 08:57 AM
Actually this is working perfectly!!! Thanks Tim!
Two more small things though...
1) In step 1.a my "domainlist1" contains the following...
\.google\.com|google\.com
So the ONLY sites I can go to are http://google.com, http://www.google.com, http://maps.google.com, etc..
BUT... I can also get to http://mygoogle.com Is there anyway for me to make it to when that will not happen but still allow access to http://google.com ?
2) Is there a way to have this work per user on my domain?
For example I want MYDOMAIN\User.One to be able to go to ANY sites and MYDOMAIN\User.Two and MYDOMAIN\User.Three to be restricted to go to the google.com list only (as listed above).
08-12-2011 02:12 AM
Yo,
Try using a single regex to filter this by using [my]google.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940e04.shtml
[abc] | Character class | Matches any character in the brackets. For example, [abc] matches a, b, or c. |
08-12-2011 08:33 AM
So maybe something like [a-zA-Z0-9]google.com ?
Which would end up with 3 rules per domain
EDIT:
Yea that worked fine... I had to make 2 regex lists... Below is everything I did to make it work. When using the method below you can only go to sites that match the following criteria... http://google.com* or http://*.google.com*
1) Configuration->Global Objects->Regular Expressions->Regular Expressions
ADD - allowed_http_domains = \.google\.com|google\.com
2) Configuration->Global Objects->Regular Expressions->Regular Expressions
ADD - denied_http_domains = [(0-9A-Za-z)*]google\.com
3) Configuration->Global Objects->Regular Expressions->Regular Expression Classes
ADD - DomainAllowList = allowed_http_domains
4) Configuration->Global Objects->Regular Expressions->Regular Expression Classes
ADD - DomainDenyList = denied_http_domains
5) Configuration->Global Objects->Class Maps->HTTP
ADD - AllowDomainClass
Match Type = No Match
Criterion = Request Header Field
Value->Field->Predefined = host
Value->Value->Regular Expression Class = DomainAllowList
6) Configuration->Global Objects->Class Maps->HTTP
ADD - DenyDomainClass
Match Type = Match
Criterion = Request Header Field
Value->Field->Predefined = host
Value->Value->Regular Expression Class = DomainDenyList
7) Configuration->Global Objects->Inspect Maps->HTTP
ADD - http_inspection_policy
8) Configuration->Global Objects->Inspect Maps->HTTP->http_inspection_policy->Inspections
ADD - DenyDomainClass
Match Criteria->Multiple matches->HTTP Traffic Class = DenyDomainClass
Actions->Action = Reset
Actions->Log = Enable
9) Configuration->Global Objects->Inspect Maps->HTTP->http_inspection_policy->Inspections
ADD - AllowDomainClass
Match Criteria->Multiple matches->HTTP Traffic Class = AllowDomainClass
Actions->Action = Reset
Actions->Log = Enable
10) Configuration->Security Policy->Service Policy Rules
ADD Service Policy Rule
Screen 1:
Interface = inside - inside-policy
Screen 2:
Create a new traffic class = httptraffic
Traffic match criteria = only check Source and Destination IP Address (uses ACL)
Screen 3:
Action = Match
Source = any
Destination = any
Service = tcp-udp/http
Screen 4:
Protocol Inspection = only check HTTP (then click Configure)
Select a HTTP inspect map for fine control over inspection = http_inspection_policy
* CLICK OK then Finished
Thats it! I hope this helps someone else out.
08-24-2011 11:49 AM
Tim, I started a new discussion on setting up my ASA to use my AD to authenticate users. Any input you have there would be very helpful!
01-23-2014 07:21 AM
I'm under the impression this will only work if it's http traffic, correct? You cannot apply this level of filtering to https traffic due to the encryption?
01-23-2014 08:55 AM
I'm not 100% positive but that would make sense... If it would work then whats the point of encryption.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: