Dear collegues,
I have one outside interface with global IP address 1.1.1.1 and two inside.
Both inside interfaces restrict and non_restrict have private IP addresses.
I tried to filter some URLs on PIX515 IOS 7.2, only on restrict interface but my filter does not work.
I can access prohibited URL from restrict interface.
Could you tell me what's wrong in my URL filtering?
Here is my config:
PIX Version 7.2(2)
!
hostname pixfirewall
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.252
!
interface Ethernet1
nameif restrict
security-level 50
ip address 192.168.2.1 255.255.255.128
!
interface Ethernet2
nameif non_restrict
security-level 100
ip address 192.168.2.129 255.255.255.192
!
passwd 2KFQnbNIdI.2KYOU encrypted
regex domainlist1 "\.facebook\.com"
regex domainlist2 "\.twitter\.com"
regex domainlist3 "\.youtube\.com"
ftp mode passive
access-list inside_mpc extended permit tcp any any eq www
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (restrict) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
!
class-map type regex match-any DomainBlockList
match regex domainlist1
match regex domainlist2
match regex domainlist3
class-map inspection_default
match default-inspection-traffic
class-map type inspect http match-all BlockDomainsClass
match request header host regex class DomainBlockList
class-map httptraffic
match access-list inside_mpc
!
!
policy-map type inspect http http_inspection_policy
parameters
protocol-violation action drop-connection log
class BlockDomainsClass
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
policy-map inside-policy
class httptraffic
inspect http http_inspection_policy
!
service-policy global_policy global
service-policy inside-policy interface restrict
!
end