11-12-2013 11:08 PM - edited 03-11-2019 08:04 PM
Здравствуйте знатоки Cisco!
Обчитавшись про блокировку URL (
https://supportforums.cisco.com/docs/DOC-21128#__URL_______URL__ )
решил настроить это добро, благо подвернулась ASA 5505 с Sec+
Раньше работал с tik'ами поэтому в Cisco новичек обчитанный, так что сильно не пинайте
Что хочу от железки:
0/0 - internet
0/1 - lan1 (этим доступно все)
0/2 - lan2 (этим только yandex.ru, mail.ru)
----------------------
задача казалось бы тривиальная но в целях эксперимента я себе ее временно еще упростил до такого состояния:
0/0 - outside
0/1 - inside (этим только yandex.ru, mail.ru)
и получил вот такой конфиг:
-------------------------------------------------------------------------
Hello experts on Cisco!
I am Read about URL blocking (
https://supportforums.cisco.com/docs/DOC-21128# __ URL _______ URL __)
I decided to adjust this good, the benefit ASA 5505 with Sec +
Earlier the beginner obchitanny so strongly don't kick worked with Tik's therefore in Cisco
That I want from a piece of iron:
0/0 - internet
0/1 - lan1 (it all is available)
0/2 - lan2 (to these only yandex.ru, mail.ru)
----------------------
the task would seem trivial but for experiment I to myself temporarily still simplified it to such condition:
0/0 - outside
0/1 - inside (to these only yandex.ru, mail.ru)
also I received here such config:
-------------------------------------------------------------------------
!
ASA Version 9.1(3)
!
hostname ciscoasa
enable password ххххххххххххххх encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
regex allowex1 "mail\.ru"
regex allowex2 "yandex\.ru"
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
access-list user-acl extended deny tcp host 192.168.2.5 any eq www
access-list user-acl extended permit tcp any any eq www
pager lines 24
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj_any
nat (inside,outside) dynamic interface
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 192.168.2.0 255.255.255.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.2.5-192.168.2.254 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username sudo password ххххххххххххххх encrypted privilege 15
!
class-map allow-user-class
match access-list user-acl
class-map type inspect http match-all allow-url-class
match not request header host regex allowex2
match not request header host regex allowex1
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map type inspect http allow-url-policy
parameters
class allow-url-class
reset
policy-map allow-user-url-policy
class allow-user-class
inspect http allow-url-policy
!
service-policy allow-user-url-policy interface inside
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:30b6a9707e7bbe0c8bb43ce4c9ecd1af
: end
-------------------------------------------------------------------------------------------
192.168.2.5 - это мой хост с которого я тестирую блокировки
в общем не блокирует и вот что интересно ..... с адреса
192.168.2.5 которому предназначается блокировка я открываю яндекс .... открывается, открываю гугл, не открывается, в яндексе пишу поисковый запрос гугл, открывает ссылки среди которых есть гугл, жму ссылку - открывается подлый гугл. я в шоке
Даже не знаю как тут быть, может есть знающий человек который подскажет как решить данный вопрос.
-------------------------------------------------------------------------------------------
192.168.2.5 - it is my host from which I test blocking
generally doesn't block and here that is interesting..... from the address
192.168.2.5 to which blocking I intends I open Yandex.... opens, I open Google, doesn't open, in Yandex I write search inquiry Google, opens links among which there is Google, press the link - mean Google opens. I shocked
At all I don't know as here to be, the knowing person who will prompt as can eat to solve the matter.
11-13-2013 01:16 AM
Hi Vasiliy,
Any chance you could post this in english?
11-14-2013 10:21 AM
Может кто ответит?
11-14-2013 02:40 PM
Hello Vasily,
Here is your problem:
class-map type inspect http match-all allow-url-class
match not request header host regex allowex2
match not request header host regex allowex1
policy-map type inspect http allow-url-policy
parameters
class allow-url-class
reset
policy-map allow-user-url-policy
class allow-user-class
inspect http allow-url-policy
You are saying Anything that does NOT match what you have on the class-map it will get denied.
So what's on the class-map gets allowed but the rest gets blocked.
That's it
You can eat and rest now hehe
Rate all of the helpful posts!!!
Regards,
Jcarvaja
Follow me on http://laguiadelnetworking.com
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: