02-16-2010 04:35 PM - edited 03-11-2019 10:10 AM
Hi,
I have ASA 5510 (8.0.2), ASDM 6.1 and ASA-SSM-10 6.1. We have a web site located at DMZ with a Public IP address. It is accessible from Internet via the public IP address. While keeping web site access enabled, I need to block access to http://X.X.X.X/Login.aspx from Public IP addresses,ie, Internet. We still need to access to this link from inside.
1. I tried to create regular expressions with \x.x.x.x AND \X.X.X.\login.aspx
2. I created a regular expression class and allocated these two expressions to the class.
3. Then I created an http class map with Criterion "Request URI" and the Value Regular Expression Class that I have created above (2) for http inspection policy.
4. Then I created an HTTP Inspect map and added inspection for the http class map that I have created(3) with the action "Reset" and log "Enable".
5. Then I added a new service policy to outside interface.
6. Match criteria "source and Destination IP..."
7. Source : Any, Destination : X.X.X.X, service: tcp/http and enabled rule
8. At Protocol inspection, checked "HTTP" and clicked on Configuration
9. "Select a HTTP inspect map for the fine control..." and choose the inspection policy created above (3)
Unfortunately, aftyer this config change, we were still able to access to http://X.X.X.X/Login.aspx from bopth inside and outside.
Thanks in advance for any suggestions...
Semih
Solved! Go to Solution.
02-16-2010 06:07 PM
check this link out:
https://supportforums.cisco.com/docs/DOC-1268#Block_specific_urls
Is this what you configured and it does not work?
-KS
02-16-2010 06:07 PM
check this link out:
https://supportforums.cisco.com/docs/DOC-1268#Block_specific_urls
Is this what you configured and it does not work?
-KS
02-16-2010 06:21 PM
Hi Kusankar,
Yes, I followed that link's instructions for "Block spefific uris". But with the following changes:
1. I used case insensitive regular expressions to cover login or login.aspx:
regex login2 "/[Ll][Oo][Gg][Ii][Nn].[Aa][Ss][Pp][Xx]"
regex login "/[Ll][Oo][Gg][Ii][Nn]"
2. I did not apply it to Global policy. Since I wanted to block only incoming requests from outside to our dmz, I applied it to outside interface and outside policy.
Now I can not even access to http:/X.X.X.X web site from outside.
Thanks
Semih
02-16-2010 06:29 PM
Hi Kusankar,
Just an update, it reached to http://X.X.X.X but extremely slow. It takes around 5 minutes to load the web site. It also blocks login.aspx. But if I remove the inspection, it loads in 10 seconds.
Thanks
Semih
02-16-2010 06:36 PM
Do you also have a CSC module?
Any errors on the interfaces? sh int | i errors
adding http inspection required packets to arrive in order on the ASA. If you recieve large amount of out of order packets then this is going to add latency.
-KS
02-16-2010 07:16 PM
Hi Kusankar,
No, we do not have CSC.
Actually, after I removed the second regular expression and left only login2 (login.aspx), it started working. Now, we can access to the web site at normal time and noone can access to http://X.X.X.X/login.aspx . There is one thing though, when people tries to access http://X.X.X.X/login.aspx the pc waits for 5-10 minutes before it fails to connect. Is there any way to decrease the time?
Thanks
Semih
02-17-2010 08:59 AM
You can change the action from "drop-connection" to reset. Then the browser will know right away that he was denied.
I hope it helps.
PK
02-17-2010 05:11 PM
Thanks everone for the help.
I have already used Kusankar's link for this. But it started working only after I used one parameter rather than 2.
For the delay in rejecting the access, I changed the action to reset rather than drop connection as recomended by pkampana; it did not do any changes. Currently, web site is accessible and /login.aspx is blocked. Therefore I will leave it as is for now.
Thanks again...
Semih
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide