I have ASA 5510 (8.0.2), ASDM 6.1 and ASA-SSM-10 6.1. We have a web site located at DMZ with a Public IP address. It is accessible from Internet via the public IP address. While keeping web site access enabled, I need to block access to http://X.X.X.X/Login.aspx from Public IP addresses,ie, Internet. We still need to access to this link from inside.
1. I tried to create regular expressions with \x.x.x.x AND \X.X.X.\login.aspx
2. I created a regular expression class and allocated these two expressions to the class.
3. Then I created an http class map with Criterion "Request URI" and the Value Regular Expression Class that I have created above (2) for http inspection policy.
4. Then I created an HTTP Inspect map and added inspection for the http class map that I have created(3) with the action "Reset" and log "Enable".
5. Then I added a new service policy to outside interface.
6. Match criteria "source and Destination IP..."
7. Source : Any, Destination : X.X.X.X, service: tcp/http and enabled rule
8. At Protocol inspection, checked "HTTP" and clicked on Configuration
9. "Select a HTTP inspect map for the fine control..." and choose the inspection policy created above (3)
Unfortunately, aftyer this config change, we were still able to access to http://X.X.X.X/Login.aspx from bopth inside and outside.
Thanks in advance for any suggestions...
Solved! Go to Solution.
Yes, I followed that link's instructions for "Block spefific uris". But with the following changes:
1. I used case insensitive regular expressions to cover login or login.aspx:
regex login2 "/[Ll][Oo][Gg][Ii][Nn].[Aa][Ss][Pp][Xx]"
regex login "/[Ll][Oo][Gg][Ii][Nn]"
2. I did not apply it to Global policy. Since I wanted to block only incoming requests from outside to our dmz, I applied it to outside interface and outside policy.
Now I can not even access to http:/X.X.X.X web site from outside.
Just an update, it reached to http://X.X.X.X but extremely slow. It takes around 5 minutes to load the web site. It also blocks login.aspx. But if I remove the inspection, it loads in 10 seconds.
Do you also have a CSC module?
Any errors on the interfaces? sh int | i errors
adding http inspection required packets to arrive in order on the ASA. If you recieve large amount of out of order packets then this is going to add latency.
No, we do not have CSC.
Actually, after I removed the second regular expression and left only login2 (login.aspx), it started working. Now, we can access to the web site at normal time and noone can access to http://X.X.X.X/login.aspx . There is one thing though, when people tries to access http://X.X.X.X/login.aspx the pc waits for 5-10 minutes before it fails to connect. Is there any way to decrease the time?
You can change the action from "drop-connection" to reset. Then the browser will know right away that he was denied.
I hope it helps.
Thanks everone for the help.
I have already used Kusankar's link for this. But it started working only after I used one parameter rather than 2.
For the delay in rejecting the access, I changed the action to reset rather than drop connection as recomended by pkampana; it did not do any changes. Currently, web site is accessible and /login.aspx is blocked. Therefore I will leave it as is for now.