11-22-2011 01:12 PM - edited 03-11-2019 02:54 PM
Hi,
I would like to find a way to give access to one website ( let say cisco.com ), give access to whatever website that have the word "test" in the URL and block the access to all the other websites for only one server ( let say the_server ).
Here the config I have now :
regex cisco.com "\.cisco\.com"
regex test "test"
regex all ".*"
!
access-list acl_test extended permit tcp object GLOUBIER any eq www
!
class-map inside-test
match access-list acl_test
!
class-map type inspect http match-all http_url_filtering_test
match request header host regex cisco.com
!
class-map type inspect http match-all http_url_filtering_test2
match request uri regex test
!
class-map type inspect http match-all http_url_filtering_test3
match request header host regex all
!
policy-map type inspect http http_url_inspection_test
parameters
class http_url_filtering_test
log
class http_url_filtering_test2
log
class http_url_filtering_test3
drop-connection
!
policy-map inside-policy
class inside-test
inspect http http_url_inspection_test
!
Those rules aren't working ( everything is blocked ), but if I'm try each class-map individualy, it's working fine.
Is there a way to make the 3 rules ( allow cisco.com, allow word test in URL, block the rest ) work together ?
Thanks for the answers and help.
Solved! Go to Solution.
11-30-2011 10:17 AM
Hello,
I would suggest flipping your logic around to drop everything that doesn't match your allowed requests like this:
regex cisco.com "cisco\.com"
regex test "test"
!
access-list acl_test extended permit tcp object GLOUBIER any eq www
!
class-map inside-test
match access-list acl_test
!
class-map type inspect http match-all filter-class
match not request header host regex cisco.com
match not request uri regex test
!
policy-map type inspect http filter-policy
parameters
class filter-class
drop-connection
policy-map inside-policy
class inside-test
inspect http filter-policy
That makes the config a bit more manageable and should do what you are looking for.
-Mike
11-30-2011 10:17 AM
Hello,
I would suggest flipping your logic around to drop everything that doesn't match your allowed requests like this:
regex cisco.com "cisco\.com"
regex test "test"
!
access-list acl_test extended permit tcp object GLOUBIER any eq www
!
class-map inside-test
match access-list acl_test
!
class-map type inspect http match-all filter-class
match not request header host regex cisco.com
match not request uri regex test
!
policy-map type inspect http filter-policy
parameters
class filter-class
drop-connection
policy-map inside-policy
class inside-test
inspect http filter-policy
That makes the config a bit more manageable and should do what you are looking for.
-Mike
12-08-2011 12:02 PM
That solution makes sense.
I'll try that in the next days and let you know if it fixe my problem or not.
Thanks for the reply.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide