cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
494
Views
0
Helpful
1
Replies

PIX515 URL filtering doen't work

talgat.nur
Level 1
Level 1

Dear collegues,

I have one outside interface with global IP address 1.1.1.1 and two inside.

Both inside interfaces restrict and non_restrict have private IP addresses.

I tried to filter some URLs on PIX515 IOS 7.2, only on restrict interface but my filter does not work.

I can access prohibited URL from restrict interface.

Could you tell me what's wrong in my URL filtering?

Here is my config:

PIX Version 7.2(2)

!

hostname pixfirewall

enable password 8Ry2YjIyt7RRXU24 encrypted

names

!

interface Ethernet0

nameif outside

security-level 0

ip address 1.1.1.1 255.255.255.252

!

interface Ethernet1

nameif restrict

security-level 50

ip address 192.168.2.1 255.255.255.128

!

interface Ethernet2

nameif non_restrict

security-level 100

ip address 192.168.2.129 255.255.255.192

!

passwd 2KFQnbNIdI.2KYOU encrypted

regex domainlist1 "\.facebook\.com"

regex domainlist2 "\.twitter\.com"

regex domainlist3 "\.youtube\.com"

ftp mode passive

access-list inside_mpc extended permit tcp any any eq www

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

nat (restrict) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 1.1.1.1 1

!

class-map type regex match-any DomainBlockList

match regex domainlist1

match regex domainlist2

match regex domainlist3

class-map inspection_default

match default-inspection-traffic

class-map type inspect http match-all BlockDomainsClass

match request header host regex class DomainBlockList

class-map httptraffic

match access-list inside_mpc

!

!

policy-map type inspect http http_inspection_policy

parameters

  protocol-violation action drop-connection log

class BlockDomainsClass

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

policy-map inside-policy

class httptraffic

  inspect http http_inspection_policy

!

service-policy global_policy global

service-policy inside-policy interface restrict

!

end

1 Reply 1

cadet alain
VIP Alumni
VIP Alumni

Hi,

can you try inspecting http.

Regards.

Alain

Don't forget to rate helpful posts.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: