04-16-2013 12:12 AM - edited 03-11-2019 06:28 PM
I have an configuration of ASA 5510:
ASA5510# show run
: Saved
:
ASA Version 8.3(1)
!
hostname ASA5510
domain-name lohoi.local
enable password *************l encrypted
passwd ****************** encrypted
names
!
interface Ethernet0/0
description Connect_to_Modem
nameif outside
security-level 0
ip address 10.10.10.2 255.255.255.0
!
interface Ethernet0/1
description Connect_to_Router2911
nameif inside
security-level 100
ip address 172.16.10.2 255.255.255.240
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ether
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
description Management
nameif management
security-level 100
ip address 192.168.10.1 255.255.255.0
!
regex urlngoisao ".*\.([Ee][Xx][Ee]|[Cc][Oo][Mm]|[Bb][Aa][Tt]) HTTP/1.[01]"
regex urlzing ".*\.([Ee][Xx][Ee]|[Cc][Oo][Mm]|[Bb][Aa][Tt]) HTTP/1.[01]"
regex urlfacebook ".*\.([Ee][Xx][Ee]|[Cc][Oo][Mm]|[Bb][Aa][Tt]) HTTP/1.[01]"
regex youtube "\.youtube\.com"
regex faceboo ".*facebook\.com"
regex urlyoutube ".*\.([Pp][Ii][Ff]|[Vv][Bb][Ss
regex ngoisao "\.ngoisao\.net"
regex zing "\.zing\.vn"
regex contenttype "Content-Type"
regex applicationheader "application/.*"
ftp mode passive
clock timezone ICT 7
dns server-group DefaultDNS
domain-name lohoi.local
object network obj-any
subnet 0.0.0.0 0.0.0.0
object network GroupDenyweb
range 192.168.10.26 192.168.10.254
description han che try
object network facebook
host 173.252.110.27
object-group service 8080 tcp
port-object eq 8080
access-list 101 extended permit icmp any any
access-list 101 extended permit icmp any any echo-reply
access-list 101 extended permit tcp any any
access-list inside_mpc extended permit tcp object GroupDenyweb any eq www
access-list inside_mpc extended permit tcp object GroupDenyweb any object-group
8080
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-631.bin
asdm history enable
arp timeout 14400
!
object network obj-any
nat (inside,outside) dynamic interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.10.10.1 1
route inside 192.168.18.1 255.255.255.224 172.16.10.1 1
route inside 192.168.10.0 255.255.255.0 172.16.10.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.10.0 255.255.255.0 management
http authentication-certificate inside
http authentication-certificate management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldst
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca server
shutdown
telnet timeout 5
ssh 192.168.10.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username admin password ********** encrypted privilege 1
!
class-map type regex match-any Domainblocklist
match regex faceboo
match regex youtube
match regex zing
match regex ngoisao
class-map type inspect http match-all BlockDomainsClass
match request header host regex class Domainblocklist
class-map type regex match-any Urlblocklist
match regex urlfacebook
match regex urlyoutube
match regex urlzing
class-map type inspect http match-all asdm_medium_security_methods
match not request method head
match not request method post
match not request method get
class-map inspection_default
match default-inspection-traffic
class-map type inspect http match-all AppHeaderClass
match response header regex contenttype regex applicationheader
class-map httptraffic
match access-list inside_mpc
class-map type inspect http match-all BlockURLsClass
match request uri regex class Urlblocklist
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map type inspect http http_inspection_policy
parameters
protocol-violation action drop-connection
match request method connect
drop-connection log
class AppHeaderClass
drop-connection log
class BlockURLsClass
reset log
class BlockDomainsClass
reset log
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect ip-options
policy-map inside-policy
class httptraffic
inspect http http_inspection_policy
!
service-policy global_policy global
service-policy inside-policy interface inside
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http
CEService
destination address email
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:4b78471cda2bbc5949a3cd80d4ede082
: end
ASA5510#
When i configure to block websites it's ok, but websites unblock to access very slowly, sometime i can't access. My company has 50 users, all most them can't access unblock sites. How can i configure it better?
04-24-2013 12:02 AM
Hi Bro
I assume, if you were to bypass your Cisco FW, browsing to these websites are fast, am I right? I'm not sure where your issues are, but let’s try to eliminate one by one
Step 1 - Addedd these ACLs and see if these solves your problem
access-list 101 line 1 deny tcp any any eq 80
access-list 101 line 2 deny tcp any any eq 443
Step 2 - Undo Step 1 and disable threat-detection and see if these solve your problem
no threat-detection basic-threat
Step 3 - Undo Step 2 and remove class-map httptraffic and see if these solve your problem
class-map httptraffic
Once we know which step is the root cause, it will be much easier to drill down to the solution.
Regards,
Ram
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide