cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
638
Views
0
Helpful
3
Replies

cisco ASA 5505 и URL filter

sudo20121
Level 1
Level 1

Здравствуйте знатоки Cisco!

Обчитавшись про блокировку URL (

https://supportforums.cisco.com/docs/DOC-21128#__URL_______URL__  )

решил настроить это добро, благо подвернулась ASA 5505 с Sec+

Раньше работал с tik'ами поэтому  в  Cisco новичек обчитанный, так что сильно не пинайте

Что хочу от железки:

0/0 - internet

0/1 - lan1 (этим доступно все)

0/2 - lan2 (этим только yandex.ru, mail.ru)

----------------------

задача казалось бы тривиальная но в целях эксперимента я себе ее временно еще упростил до такого состояния:

0/0 - outside

0/1 -  inside (этим только yandex.ru, mail.ru)

и получил вот такой конфиг:

-------------------------------------------------------------------------

Hello experts on Cisco!

I am Read about URL blocking (

https://supportforums.cisco.com/docs/DOC-21128# __ URL _______ URL __)

I decided to adjust this good, the benefit ASA 5505 with Sec +

Earlier the beginner obchitanny so strongly don't kick worked with Tik's therefore in Cisco

That I want from a piece of iron:

0/0 - internet

0/1 - lan1 (it all is available)

0/2 - lan2 (to these only yandex.ru, mail.ru)

----------------------

the task would seem trivial but for experiment I to myself temporarily still simplified it to such condition:

0/0 - outside

0/1 - inside (to these only yandex.ru, mail.ru)

also I received here such config:

-------------------------------------------------------------------------
!
ASA Version 9.1(3)
!
hostname ciscoasa
enable password ххххххххххххххх encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
regex allowex1 "mail\.ru"
regex allowex2 "yandex\.ru"
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
access-list user-acl extended deny tcp host 192.168.2.5 any eq www
access-list user-acl extended permit tcp any any eq www
pager lines 24
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj_any
nat (inside,outside) dynamic interface
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 192.168.2.0 255.255.255.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd auto_config outside
!
dhcpd address 192.168.2.5-192.168.2.254 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username sudo password ххххххххххххххх encrypted privilege 15
!
class-map allow-user-class
match access-list user-acl
class-map type inspect http match-all allow-url-class
match not request header host regex allowex2
match not request header host regex allowex1
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map type inspect http allow-url-policy
parameters
class allow-url-class
  reset
policy-map allow-user-url-policy
class allow-user-class
  inspect http allow-url-policy
!
service-policy allow-user-url-policy interface inside
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:30b6a9707e7bbe0c8bb43ce4c9ecd1af
: end

-------------------------------------------------------------------------------------------

192.168.2.5 - это мой хост с которого я тестирую блокировки

в общем не блокирует и вот что интересно ..... с адреса

192.168.2.5  которому предназначается блокировка я открываю яндекс .... открывается, открываю гугл, не открывается, в яндексе пишу поисковый запрос гугл, открывает ссылки среди которых есть гугл, жму ссылку - открывается подлый гугл. я в шоке

        Даже не знаю как тут быть, может есть знающий человек который подскажет как решить данный вопрос.

-------------------------------------------------------------------------------------------

192.168.2.5 - it is my host from which I test blocking

generally doesn't block and here that is interesting..... from the address

192.168.2.5 to which blocking I intends I open Yandex.... opens, I open Google, doesn't open, in Yandex I write search inquiry Google, opens links among which there is Google, press the link - mean Google opens. I shocked

         At all I don't know as here to be, the knowing person who will prompt as can eat to solve the matter.

3 Replies 3

Hi Vasiliy,

Any chance you could post this in english?

--
Please remember to select a correct answer and rate helpful posts

sudo20121
Level 1
Level 1

Может кто ответит?

Hello Vasily,

Here is your problem:

class-map type inspect http match-all allow-url-class

match not request header host regex allowex2

match not request header host regex allowex1

policy-map type inspect http allow-url-policy

parameters

class allow-url-class

  reset

policy-map allow-user-url-policy

class allow-user-class

  inspect http allow-url-policy

You are saying Anything that does NOT match what you have on the class-map it will get denied.

So what's on the class-map gets allowed but the rest gets blocked.

That's it

You can eat and rest now hehe

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: