Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1493
Views
0
Helpful
2
Replies

Problem with HTTP inspection.

Go to solution
gloubier
Level 1
Level 1

‎11-22-2011 01:12 PM - edited ‎03-11-2019 02:54 PM

Hi,

I would like to find a way to give access to one website ( let say cisco.com ), give access to whatever website that have the word "test" in the URL and block the access to all the other websites for only one server ( let say the_server ).

Here the config I have now :

regex cisco.com "\.cisco\.com"

regex test "test"

regex all ".*"

!

access-list acl_test extended permit tcp object GLOUBIER any eq www

!

class-map inside-test

match access-list acl_test

!

class-map type inspect http match-all http_url_filtering_test

match request header host regex cisco.com

!

class-map type inspect http match-all http_url_filtering_test2

match request uri regex test

!

class-map type inspect http match-all http_url_filtering_test3

match request header host regex all

!

policy-map type inspect http http_url_inspection_test

parameters

class http_url_filtering_test

  log

class http_url_filtering_test2

  log

class http_url_filtering_test3

drop-connection

!

policy-map inside-policy

class inside-test

  inspect http http_url_inspection_test

!

Those rules aren't working ( everything is blocked ), but if I'm try each class-map individualy, it's working fine.

Is there a way to make the 3 rules ( allow cisco.com, allow word test in URL, block the rest ) work together ?

Thanks for the answers and help.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mirober2
Cisco Employee
Cisco Employee

‎11-30-2011 10:17 AM

Hello,

I would suggest flipping your logic around to drop everything that doesn't match your allowed requests like this: 

regex cisco.com "cisco\.com"
regex test "test"
!
access-list acl_test extended permit tcp object GLOUBIER any eq www 
!
class-map inside-test
   match access-list acl_test
!
class-map type inspect http match-all filter-class
   match not request header host regex cisco.com
   match not request uri regex test
!
policy-map type inspect http filter-policy
   parameters
   class filter-class
      drop-connection
policy-map inside-policy
   class inside-test
      inspect http filter-policy

That makes the config a bit more manageable and should do what you are looking for.

-Mike

View solution in original post

0 Helpful
2 Replies 2

Go to solution
mirober2
Cisco Employee
Cisco Employee

‎11-30-2011 10:17 AM

Hello,

I would suggest flipping your logic around to drop everything that doesn't match your allowed requests like this: 

regex cisco.com "cisco\.com"
regex test "test"
!
access-list acl_test extended permit tcp object GLOUBIER any eq www 
!
class-map inside-test
   match access-list acl_test
!
class-map type inspect http match-all filter-class
   match not request header host regex cisco.com
   match not request uri regex test
!
policy-map type inspect http filter-policy
   parameters
   class filter-class
      drop-connection
policy-map inside-policy
   class inside-test
      inspect http filter-policy

That makes the config a bit more manageable and should do what you are looking for.

-Mike

0 Helpful

Go to solution
gloubier
Level 1
Level 1
In response to mirober2

‎12-08-2011 12:02 PM

That solution makes sense.

I'll try that in the next days and let you know if it fixe my problem or not.

Thanks for the reply.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card