08-31-2011 11:07 AM - edited 03-11-2019 02:19 PM
I understand the ASA has limited functionality with website blocking, and that you have to create regular expressions. If you do this is it possible to create groups for the regular expressions? for example certain MAC addresses can get to all websites but others are restricted from some.
Solved! Go to Solution.
08-31-2011 11:11 AM
Hello,
Not really with mac-address but with IPs. You will match the hosts using ACLS.
Thanks.
Mike
08-31-2011 11:49 AM
Correct! Only the IP addresses under urlfilter will be hitting this policy.
Mike Rojas
Security Technical Lead
08-31-2011 11:11 AM
Hello,
Not really with mac-address but with IPs. You will match the hosts using ACLS.
Thanks.
Mike
08-31-2011 11:16 AM
Thank you for your reply, please could you post an example?
08-31-2011 11:23 AM
Here it goes:
access-list urlfilter permit tcp host x.x.x.x any eq 80
class-map httptraffic
match access-list urlfilter
regex domainlist3 "\.facebook\.com"
class-map type regex match-any DomainBlockList
match regex domainlist3
class-map type inspect http match-all BlockDomainsClass
match request header host regex class DomainBlockList
policy-map type inspect http http_inspection_policy
class BlockDomainsClass
reset log
policy-map inside-policy
class httptraffic
inspect http http_inspection_policy
service-policy inside-policy interface inside
If you denote, it is the same configuration posted here
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940e04.shtml
However, the only thing you need to modify is the class map called http traffic, which has the host that are going to match this policy.
Hope it helps.
Mike
08-31-2011 11:37 AM
okay great, so 2 questions.. would the following work? and am I correct in assuming that only those IP addresses listed in "urlfilter' will be subject to the filtering? and all others will be permitted?
access-list urlfilter permit tcp host 192.168.1.50 any eq 80
access-list urlfilter permit tcp host 192.168.1.51 any eq 80
access-list urlfilter permit tcp host 192.168.1.52 any eq 80
access-list urlfilter permit tcp host 192.168.1.53 any eq 80
class-map httptraffic
match access-list urlfilter
regex domainlist1 "\.facebook\.com"
regex domainlist2 "\.twitter\.com"
regex domainlist3 "\.myspace\.com"
regex domainlist4 "\.youtube\.com"
class-map type regex match-any DomainBlockList
match regex domainlist1
match regex domainlist2
match regex domainlist3
match regex domainlist4
class-map type inspect http match-all BlockDomainsClass
match request header host regex class DomainBlockList
policy-map type inspect http http_inspection_policy
class BlockDomainsClass
reset log
policy-map inside-policy
class httptraffic
inspect http http_inspection_policy
service-policy inside-policy interface inside
08-31-2011 11:49 AM
Correct! Only the IP addresses under urlfilter will be hitting this policy.
Mike Rojas
Security Technical Lead
08-31-2011 11:51 AM
Great, and the config looked okay? also rather than individual IPs, can I specify a subnet in the urlfilter list?
08-31-2011 12:15 PM
Hi,
Yes, it does look ok, you can specify subnets there too. In case you need to allow just one host on a subnet, you can also include a deny statement on that same access list so that one single host is not affected but the rest of the subnet is.
Mike
08-31-2011 12:25 PM
Great, thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide