Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
637
Views
0
Helpful
1
Replies

Can't getting layer 7 app filtering in ZONE based policy FW

Jean Paul Enerst
Level 3
Level 3

‎01-08-2012 11:09 PM - edited ‎03-11-2019 03:11 PM

Hi all,

        I am trying to get layer 7 application protocol to work in a simple test setup, I need to get this working to filter roommate traffric . Simple configuration with two interface(inside and outside). With layer application configured, everything works fine, but when applied layer 7 it does not block the web site i want... URL filter  and parameter map don't work either...

Cisco IOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9-M), Version 12.4(24)T1, RELEASE SOFTWARE (fc3)

parameter-map type urlfilter URL-FILTER
audit-trail on
parameter-map type regex humoron
pattern [Hh][Uu][Mm][Oo][Rr][Oo][Nn][.][Cc][Oo][Mm]

parameter-map type regex LAPOSTE1
pattern LAPOSTE.NET

class-map type inspect match-any EXPRESSION
match access-group 105
match protocol tcp
match protocol udp
match protocol dns
match protocol http
match protocol https
class-map type inspect match-any HTTP
match access-group 105
match protocol tcp
match protocol udp
match protocol ftp
match protocol icmp
class-map type inspect http match-any HUMORON
match  request body regex humoron
match  request header regex humoron
match  request port-misuse im
match  request port-misuse p2p
match  request port-misuse tunneling
match  request port-misuse any
match  request arg regex humoron
match  request uri regex humoron
match  response status-line regex humoron
match  req-resp header regex humoron
match  req-resp protocol-violation
class-map type inspect http match-any LAPOSTE
match  request body regex LAPOSTE1
match  request header regex LAPOSTE1
match  request port-misuse p2p
match  request port-misuse tunneling
match  request arg regex LAPOSTE1
match  request uri regex LAPOSTE1
match  response body regex LAPOSTE1
match  response body java-applet
match  response status-line regex LAPOSTE1
match  req-resp protocol-violation
!
!
  policy-map type inspect HTTP_POL
class type inspect HTTP
  inspect
class type inspect EXPRESSION
  inspect
class class-default
  drop
policy-map type inspect http Adult_site
class type inspect http HUMORON
  log
  reset
policy-map type access-control out2inside_policy
!
zone security INSIDE_ZONE
description inside interface f0/2
zone security OUTSIDE_ZONE
description outside interface f0/0
zone-pair security outside2inside source OUTSIDE_ZONE destination INSIDE_ZONE
zone-pair security INSIDE2OUTSIDE source INSIDE_ZONE destination OUTSIDE_ZONE
description web traffic
service-policy type inspect HTTP_POL
!
!
!

IOS_VPN#sh policy-map type inspect

  Policy Map type inspect HTTP_POL

    Class HTTP

      Inspect

    Class EXPRESSION

      Drop

    Class class-default

      Pass

Thanks,

Labels:
0 Helpful
1 Reply 1

Jean Paul Enerst
Level 3
Level 3

‎01-09-2012 12:41 PM

Any ideas??

Thanks,

Eddy

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card