02-24-2011 10:17 PM - last edited on 03-25-2019 05:45 PM by ciscomoderator
Dear all,
I want to block some social networking sites using ASA 5510-CSC-SSM, As I searched and come to know that ASA 5510 can't inspect and intercept for https traffic because it is encrypted while traversing throught the ASA. I want the ASA to make functioning for https too, not only http. Can i perform this task by updating any software on existing device?? Any response will be appreciated.
Thanks in Advance
Hari,
02-24-2011 10:29 PM
No, there is no software update on CSC module that will allow that because to be able to unencrypt the HTTPS traffic and inspect it, you will be required to perform man-in-the-middle as the packet is encrypted, and CSC-module is not capable of doing that.
08-20-2014 07:36 AM
Hello
http inspection working; but https gets me to the page i am trying to hide..
i can block
http://xxx.whatever.com/somewhere_i_want_to_hide/page.html
using the documents referenced above
owever; if i prepend the url with https:// this bypasses the http inspection on the ASA (V9)
now i understand "deep packet" inspection is not possible due to encryption under SSL but why cant the ASA block the access to the page seeing as the top level url is not actually anything but clear text?
this is my code snippet that works ok to block the http with "webservices" in it
i need to do the same for https:// {blah-webservices-blah}
regex blockex1 ".*webservices.*\.svc"
class-map inspection_default
match default-inspection-traffic
class-map type inspect http match-any block-url-class
match request uri regex blockex1
!
policy-map type inspect http block-url-policy
parameters
class block-url-class
drop-connection log
policy-map global_policy
description inspect and block specific http URI requests
class inspection_default
.
.
inspect http block-url-policy
!
service-policy global_policy global
thanks
dave
08-20-2014 11:42 AM
Hi,
I'm afraid, when used protocol is https (and not http), so http inspection won't work.
You can try this:
http://www.tunnelsup.com/using-just-a-cisco-asa-to-block-specific-websites
HTH,
Pavel
02-25-2011 05:55 AM
HI,
I am afraid the only one thing you can do, is http inspection with uri orl url regex and then appropriate action.
Nice document to this : https://supportforums.cisco.com/docs/DOC-1268
HTH
Pavel
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide