cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1484
Views
5
Helpful
5
Replies

FWSM URL FILTERING

I'M TRYING TO FILTER IN MY FWSM URLS

I have some problems because all my https traffic is being discarded.

The configuractions below:

class-map inside1-class

match port tcp eq https

!

!

policy-map type inspect http URL

description URL

parameters

  protocol-violation action drop-connection

match request uri regex FACEBOOK

  drop-connection log

match request uri regex YOUTUBE

  drop-connection log

policy-map inside1-policy

class inside1-class

  inspect http URL

!

service-policy inside1-policy interface inside1

Any good indications will be appreciated

1 Accepted Solution

Accepted Solutions

Hello,

Okey so just to end this will not work as the content will be encrypted bud.

Sorry to let you know that.

You need a content device capable of doing it.

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

5 Replies 5

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Jose,

You are matching HTTPs traffic. This will not work as that traffic will be encrypted and the ASA will not be able to decrypt that traffic as it's not working as a proxy.

For HTTPs content filtering you need to have a dedicated server such as a websense box

Regards,

Jcarvaja

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hello Julio,

I did it men

using the followings script

regex domainlist16 "\.sharing-file\.com"

regex domainlist17 "\.keepandshare\.com"

regex domainlist18 "\.kazaa\.com"

regex domainlist19 "\.zeropaid\.com"

regex domainlist20 "\.daniweb\.com"

regex domainlist21 "\.megashare\.com"

regex domainlist22 "\.ahlyegypt\.com"

regex domainlist23 "\.ultrareach\.net"

regex domainlist24 "\.wujie\.net"

regex domainlist25 "\.tv2free\.com"

regex domainlist26 "\.sharereactor\.com"

regex domainlist27 "\.youporn\.com"

class-map type regex match-any DomainBlockList

match regex domainlist1

match regex domainlist2

match regex domainlist3

match regex domainlist4

match regex domainlist5

match regex domainlist6

match regex domainlist7

match regex domainlist8

match regex domainlist9

match regex domainlist10

match regex domainlist11

match regex domainlist12

match regex domainlist13

match regex domainlist14

match regex domainlist15

match regex domainlist16

match regex domainlist17

match regex domainlist18

match regex domainlist19

match regex domainlist20

match regex domainlist21

match regex domainlist22

match regex domainlist23

match regex domainlist24

match regex domainlist25

match regex domainlist26

match regex domainlist27

class-map type inspect http match-all BlockDomainsClass

match request header host regex class DomainBlockList

######################################################################################################################

access-list inside_mpc extended permit tcp any any eq www

access-list inside_mpc extended permit tcp any any eq 8080

class-map httptraffic

match access-list inside_mpc

###################################################################################################################33

policy-map type inspect http http_inspection_policy

parameters

protocol-violation action drop-connection

class BlockDomainsClass

reset log

policy-map inside-policy

class httptraffic

inspect http http_inspection_policy

#############################################################################################################################

service-policy inside-policy interface inside

The main proble that i had is that the client can still visit facebook using

https:facebook.com

if i add in the acl

access-list inside_mpc extended permit tcp any any eq 443

All my https traffic goes down

Hello,

Okey so just to end this will not work as the content will be encrypted bud.

Sorry to let you know that.

You need a content device capable of doing it.

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Thanks man,

After some hours of searching and feeling angry that there are more cheaper servers in linux that can do this i recognize you're correct. Thanks for your help.

Regards

Hello Jose,

Hey man my pleasure to help,

Have a great day.

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Review Cisco Networking for a $25 gift card