11-04-2010 10:25 AM - edited 03-11-2019 12:05 PM
Hi experts!
I got a request from my boss to block different websites for different source IPs. I was able to block the same websites for all the IPs. Then I thought that I just needed to "deny the special IPs" from the original class-map and created a new class-map and "permit only these special IPs". Anyway here is my config. I want to block "monster" websites for IP 10.26.105.107 (which is my laptop, for testing purpose)
regex BLOCKURLLIST01 "\.facebook\.com"
regex BLOCKURLLIST11 "\.monster\."
regex BLOCKURLLIST02 "evony\.com"
regex BLOCKURLLIST03 "twitter\.com"
regex BLOCKURLLIST04 "youtube\.com"
regex BLOCKURLLIST05 "boutell\.com"
class-map type regex match-any CMAP_BLOCKURLLIST
match regex BLOCKURLLIST01
match regex BLOCKURLLIST02
match regex BLOCKURLLIST05
match regex BLOCKURLLIST03
match regex BLOCKURLLIST04
class-map type regex match-any CMAP_BLOCKURLLIST.1
match regex BLOCKURLLIST11
class-map type inspect http match-all CMAP_INSPECTURLLIST
match request header host regex class CMAP_BLOCKURLLIST
class-map type inspect http match-all CMAP_INSPECTURLLIST.1
match request header host regex class CMAP_BLOCKURLLIST.1
policy-map type inspect http PMAP_URLLIST
parameters
protocol-violation action log
class CMAP_INSPECTURLLIST
drop-connection log
policy-map type inspect http PMAP_URLLIST.1
parameters
protocol-violation action log
class CMAP_INSPECTURLLIST.1
drop-connection log
access-list INSPECTURL extended deny tcp host 10.26.105.107 any eq www
access-list INSPECTURL extended permit tcp any any eq www
access-list INSPECTURL.1 extended permit tcp host 10.26.105.107 any eq www
class-map CMAP_HTTP
match access-list INSPECTURL
class-map CMAP_HTTP.1
match access-list INSPECTURL.1
policy-map PMAP_INSPECTURL
class CMAP_HTTP
inspect http PMAP_URLLIST
class CMAP_HTTP.1
inspect http PMAP_URLLIST.1
service-policy PMAP_INSPECTURL interface inside
The config in blue are the old config and they still work for the rest IPs. However my laptop now can go to any websites including "monster". My regex should be fine because once I added the #11 regex in the original class-map and nobody (expect my laptop) can go to "monster" any more.
I also found that the new ACL doesn't match any www traffic from me. However the counter of the "deny" clause in the old ACL does match my traffic.
fw-dc-01(config)# sh access-list INSPECTURL
access-list INSPECTURL; 2 elements
access-list INSPECTURL line 1 extended deny tcp host 10.26.105.107 any eq www (hitcnt=369) 0xcce40994
access-list INSPECTURL line 2 extended permit tcp any any eq www (hitcnt=320948) 0x375d6ac6
fw-dc-01(config)# sh access-list INSPECTURL.1
access-list INSPECTURL.1; 1 elements
access-list INSPECTURL.1 line 1 extended permit tcp host 10.26.105.107 any eq www (hitcnt=0) 0x06b294db
That's why I'm wondering how a policy-map process multiple class-maps. I thought that it should process them in order of their sequence in the config. If the traffic doesn't match the first class-map then it will be matched against the 2nd, until there is a match or no class-maps are left...
So I figured that one policy-map may only process one class-map of same type (inspect HTTP). In order to prove my point, I changed the sequence of class-maps in the policy-map. Now it looks like:
policy-map PMAP_INSPECTURL
class CMAP_HTTP.1
inspect http PMAP_URLLIST.1
class CMAP_HTTP
inspect http PMAP_URLLIST
As expected, I can't browse monster anymore. However to my surprise, rest IPs are still blocked from the other websites!! If the policy-map only processes the first class-map, then obviously in this test it did process the other one!! But why it didn't work in the original sequence???
Guys I'm so lost... Help!!
Thanks,
Difan
Solved! Go to Solution.
11-04-2010 11:06 AM
If the class maps match the same protocols and ip addresses then as you are saying you will be matching only the first one.
Though, in your case you are matching a class-map. You are matching the first class-map, but you are matching the deny in the ACL (it is still a match). So, you will not be subject to the first policy (deny in the ACL), but the second policy will not be evaluated either because you matches the deny. It seems kind of strange but I am explaining how the feature works. There has been an enhancement request for this, but I don't think that it has been fixed.
I hope it clarifies it.
PK
11-04-2010 11:06 AM
If the class maps match the same protocols and ip addresses then as you are saying you will be matching only the first one.
Though, in your case you are matching a class-map. You are matching the first class-map, but you are matching the deny in the ACL (it is still a match). So, you will not be subject to the first policy (deny in the ACL), but the second policy will not be evaluated either because you matches the deny. It seems kind of strange but I am explaining how the feature works. There has been an enhancement request for this, but I don't think that it has been fixed.
I hope it clarifies it.
PK
11-04-2010 01:31 PM
Hi PK,
11-04-2010 01:48 PM
That is exactly it. The implicit deny in the ACL doesn't play in the class-maps.
Take care,
PK
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide