thanks for reply, and sorry for the late reply from i was away for some time from the work  iam attaching the screen shots of regular expression, classmap and inspect map also policy which i created

from CLI can you paste the show run regex, show run class-map and show run policy-map?

yes these are the results, and thanks for the reply

show run regex

regex urllist1 ".*\.([Ff][Ll][Vv])HTTP/1.[01]"
regex domainlist1 "\.youtube\.com"
regex ares "[ares]"
regex contenttype "Content-Type"
regex applicationheader "application/.*"

show run class-map

!
class-map inside-unres-band-in
description Assign 16MB  unrestricted IPs outgoing request
match access-list inside_mpc
class-map inside-class-unrestricted-in
description Prioritize unrestricted IPs outgoing request
match access-list inside_mpc_2
class-map type regex match-any DomainBlocklist
match regex domainlist1
class-map type inspect http match-all BlockDomainClass
match request header host regex class DomainBlocklist
class-map type regex match-any block
match regex _default_x-kazaa-network
match regex _default_aim-messenger
match regex _default_gator
class-map inside-unres-band-out
description Assign 16MB unrestricted IPs return traffic
match access-list inside_mpc_1
class-map inspection_default
match default-inspection-traffic
class-map inside-class-unrestricted-out
description Prioritize unrestricted IPs return traffic
match access-list inside_mpc_3
!

show run policy-map

in the policy-map i have some rules for badwidth restrictions. and i have the httpaccess rule (site blocking). on top of the default class map rule

!
policy-map type inspect dns migrated_dns_map_1
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns migrated_dns_map_1
  inspect esmtp
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect sip 
  inspect skinny 
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect xdmcp
  inspect rtsp
policy-map type inspect http http_inspec_allow
parameters
  protocol-violation action drop-connection
match request method connect
  log
class BlockDomainClass
  log
policy-map type inspect http Ares
parameters
  protocol-violation action drop-connection
match request uri regex ares
  drop-connection log
policy-map type inspect http block
parameters
  protocol-violation action drop-connection
match request uri regex class block
  drop-connection log
policy-map type inspect http http_inspec_pol
parameters
  protocol-violation action drop-connection
match request method connect
  drop-connection log
class BlockDomainClass
  reset
policy-map type inspect im IM-Inspect-map
parameters
match protocol msn-im yahoo-im
  drop-connection
policy-map inside-policy-res-bandwidth
class inside-unres-band-in
  police input 16000000 8000
  police output 16000000 8000
class inside-class-unrestricted-in
  police input 16000000 8000
  police output 16000000 8000
class inside-unres-band-out
  police output 16000000 8000
  police input 16000000 8000
class inside-class-unrestricted-out
  police input 16000000 8000
  police output 16000000 8000
class httpaccess
  inspect http http_inspec_pol
class class-default
  police input 4500000 2700
  police output 4500000 2700
policy-map type inspect im imallow
parameters
match protocol msn-im yahoo-im
  log
!

Hi Jibin,

Does the ASA log any syslogs when the connection is blocked?

Also,  could you get a packet capture on the client for a connection that is  blocked? I don't have a Hotmail account to test with, but I'm wondering  if this regex might be matching something in the request:

regex ares "[ares]"

-Mike

hello

yes syslog is ther, and also i have another problem one i put this rule in policy after sometime syslog will loose connection

i dont know i have can i capture packet from asa can you help me on this.

i have the syslog reports if you want below

attaching as txt file

and the regex ares wasnt really using i was using that for testing i removed all that and tried its same problem

can you include the show run service-policy?

yes this is the result

Result of the command: "show run service-policy"

service-policy global_policy global
service-policy inside-policy-res-bandwidth interface inside

have you tried applying the inspect http inside the global policy?

Like this:

policy-map global_policy

class httpaccess

  inspect http http_inspec_pol

i havent tried in global policy i will try that i let you know

thanks

yes i tried in the global policy still same problem

Hey folks,

i have also used the same method and it just work fine additionally i have placed a small policy map on internet edge router which deprecate the required traffic which is identified by NBAR to dscp 1 and a url list which says nothing comins in with .torrent.

after this i have seen a huge difference in my network traffic which is aprox 289 Gigs IN and 345 Out the difference is from last 15 days.