02-01-2011 01:03 PM - edited 03-11-2019 12:43 PM
hello everyone i am kinda new to cisco product, i have cisco asa 5510 as firewall, i was trying to block some site using the link provided below
and its working fine, but the problem i am having, when i go to download attachment from hotmail its not downloading, from gmail and other mails its
working any one could help me on this
02-01-2011 03:32 PM
Hello,
Can you please post your configuration here (both regular expression statements and class-map/policy-map statements)?
Regards,
NT
02-07-2011 10:16 AM
02-07-2011 11:11 AM
from CLI can you paste the show run regex, show run class-map and show run policy-map?
02-08-2011 07:05 AM
yes these are the results, and thanks for the reply
show run regex
regex urllist1 ".*\.([Ff][Ll][Vv])HTTP/1.[01]"
regex domainlist1 "\.youtube\.com"
regex ares "[ares]"
regex contenttype "Content-Type"
regex applicationheader "application/.*"
show run class-map
!
class-map inside-unres-band-in
description Assign 16MB unrestricted IPs outgoing request
match access-list inside_mpc
class-map inside-class-unrestricted-in
description Prioritize unrestricted IPs outgoing request
match access-list inside_mpc_2
class-map type regex match-any DomainBlocklist
match regex domainlist1
class-map type inspect http match-all BlockDomainClass
match request header host regex class DomainBlocklist
class-map type regex match-any block
match regex _default_x-kazaa-network
match regex _default_aim-messenger
match regex _default_gator
class-map inside-unres-band-out
description Assign 16MB unrestricted IPs return traffic
match access-list inside_mpc_1
class-map inspection_default
match default-inspection-traffic
class-map inside-class-unrestricted-out
description Prioritize unrestricted IPs return traffic
match access-list inside_mpc_3
!
show run policy-map
in the policy-map i have some rules for badwidth restrictions. and i have the httpaccess rule (site blocking). on top of the default class map rule
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect esmtp
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect sip
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
inspect rtsp
policy-map type inspect http http_inspec_allow
parameters
protocol-violation action drop-connection
match request method connect
log
class BlockDomainClass
log
policy-map type inspect http Ares
parameters
protocol-violation action drop-connection
match request uri regex ares
drop-connection log
policy-map type inspect http block
parameters
protocol-violation action drop-connection
match request uri regex class block
drop-connection log
policy-map type inspect http http_inspec_pol
parameters
protocol-violation action drop-connection
match request method connect
drop-connection log
class BlockDomainClass
reset
policy-map type inspect im IM-Inspect-map
parameters
match protocol msn-im yahoo-im
drop-connection
policy-map inside-policy-res-bandwidth
class inside-unres-band-in
police input 16000000 8000
police output 16000000 8000
class inside-class-unrestricted-in
police input 16000000 8000
police output 16000000 8000
class inside-unres-band-out
police output 16000000 8000
police input 16000000 8000
class inside-class-unrestricted-out
police input 16000000 8000
police output 16000000 8000
class httpaccess
inspect http http_inspec_pol
class class-default
police input 4500000 2700
police output 4500000 2700
policy-map type inspect im imallow
parameters
match protocol msn-im yahoo-im
log
!
02-08-2011 12:30 PM
Hi Jibin,
Does the ASA log any syslogs when the connection is blocked?
Also, could you get a packet capture on the client for a connection that is blocked? I don't have a Hotmail account to test with, but I'm wondering if this regex might be matching something in the request:
regex ares "[ares]"
-Mike
02-09-2011 12:26 PM
02-09-2011 12:31 PM
and the regex ares wasnt really using i was using that for testing i removed all that and tried its same problem
02-09-2011 01:30 PM
can you include the show run service-policy?
02-10-2011 04:55 AM
yes this is the result
Result of the command: "show run service-policy"
service-policy global_policy global
service-policy inside-policy-res-bandwidth interface inside
02-10-2011 06:13 AM
have you tried applying the inspect http inside the global policy?
Like this:
policy-map global_policy
class httpaccess
inspect http http_inspec_pol
02-10-2011 08:13 AM
i havent tried in global policy i will try that i let you know
thanks
02-10-2011 12:11 PM
yes i tried in the global policy still same problem
04-08-2015 08:45 AM
Hey folks,
i have also used the same method and it just work fine additionally i have placed a small policy map on internet edge router which deprecate the required traffic which is identified by NBAR to dscp 1 and a url list which says nothing comins in with .torrent.
after this i have seen a huge difference in my network traffic which is aprox 289 Gigs IN and 345 Out the difference is from last 15 days.
05-03-2012 09:05 AM
Hi Jibbin,
I know it's been awhile, but wonder if you got solutions to your issues? I tried to do the same, want to block some cloud video service and internet radio like netflix, hulu, pandora...it seemed working great as for blocking those sites but at the same time it block certain web forms and active-X apps from other business sites (not on the url block lists) as well. I can log on to hotmail, gmail and check
email no problem.
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide