cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1176
Views
0
Helpful
2
Replies
Beginner

Problem with HTTP inspection.

Hi,

I would like to find a way to give access to one website ( let say cisco.com ), give access to whatever website that have the word "test" in the URL and block the access to all the other websites for only one server ( let say the_server ).

Here the config I have now :

regex cisco.com "\.cisco\.com"

regex test "test"

regex all ".*"

!

access-list acl_test extended permit tcp object GLOUBIER any eq www

!

class-map inside-test

match access-list acl_test

!

class-map type inspect http match-all http_url_filtering_test

match request header host regex cisco.com

!

class-map type inspect http match-all http_url_filtering_test2

match request uri regex test

!

class-map type inspect http match-all http_url_filtering_test3

match request header host regex all

!

policy-map type inspect http http_url_inspection_test

parameters

class http_url_filtering_test

  log

class http_url_filtering_test2

  log

class http_url_filtering_test3

drop-connection

!

policy-map inside-policy

class inside-test

  inspect http http_url_inspection_test

!

Those rules aren't working ( everything is blocked ), but if I'm try each class-map individualy, it's working fine.

Is there a way to make the 3 rules ( allow cisco.com, allow word test in URL, block the rest ) work together ?

Thanks for the answers and help.

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Problem with HTTP inspection.

Hello,

I would suggest flipping your logic around to drop everything that doesn't match your allowed requests like this:

regex cisco.com "cisco\.com"

regex test "test"

!

access-list acl_test extended permit tcp object GLOUBIER any eq www

!

class-map inside-test

   match access-list acl_test

!

class-map type inspect http match-all filter-class

   match not request header host regex cisco.com

   match not request uri regex test

!

policy-map type inspect http filter-policy

   parameters

   class filter-class

      drop-connection

policy-map inside-policy

   class inside-test

      inspect http filter-policy

That makes the config a bit more manageable and should do what you are looking for.

-Mike

View solution in original post

2 REPLIES 2
Highlighted
Cisco Employee

Problem with HTTP inspection.

Hello,

I would suggest flipping your logic around to drop everything that doesn't match your allowed requests like this:

regex cisco.com "cisco\.com"

regex test "test"

!

access-list acl_test extended permit tcp object GLOUBIER any eq www

!

class-map inside-test

   match access-list acl_test

!

class-map type inspect http match-all filter-class

   match not request header host regex cisco.com

   match not request uri regex test

!

policy-map type inspect http filter-policy

   parameters

   class filter-class

      drop-connection

policy-map inside-policy

   class inside-test

      inspect http filter-policy

That makes the config a bit more manageable and should do what you are looking for.

-Mike

View solution in original post

Highlighted
Beginner

Problem with HTTP inspection.

That solution makes sense.

I'll try that in the next days and let you know if it fixe my problem or not.

Thanks for the reply.