cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
635
Views
0
Helpful
4
Replies

URL Filtering - Command Line Issues

jrennard3
Level 1
Level 1

Hello - I'm a complete novice when it comes to configuring via the command line, but I am trying my best to learn.  We have a Cisco ASA 5505 and would like to configure it using a Cisco provided solution for URL filtering.  At this moment we only have one URL that we need to filter, but access needs to be permitted for certain computers and disallowed for the rest.

The commands that were give are as follows:

regex blockex1 "facebook\.com"

access-list user-acl extended deny tcp host 10.10.2.100 any eq www

access-list user-acl extended permit tcp any any eq www

class-map type inspect http match-any block-url-class

match request header host regex blockfb

class-map block-user-class

match access-list user-acl

policy-map type inspect http block-url-policy

parameters

  class block-url-class

  drop-connection

policy-map block-user-url-policy

class block-user-class

  inspect http block-url-policy

service-policy block-user-url-policy interface inside

First - I don't understand why they would put the IP that should be allowed to access the restricted URL in a access list labeled as 'deny'.  Secondly, when I try to run the second set of commands:

class-map type inspect http match-any block-url-class

match request header host regex blockfb

They will not run via command line or via the CLI in ASDM.  It gives me unrecognized or invalid input detected error.  The second class-map command ran perfectly fine.

I suppose a problem of mine may be that I do not understand how to handle the indentation of commands.  For example, we have

class-map type inspect http match-any block-url-class

match request header host regex blockfb

Do I need to enter each line individually or is the 'match...' line supposed to be immediately following the first line on the same command line?

If you are able to help in any way it would be greatly appreciated.  Thanks!

4 Replies 4

Kureli Sankar
Cisco Employee
Cisco Employee

First - I don't understand why they would put the IP that should be  allowed to access the restricted URL in a access list labeled as  'deny'.  Secondly, when I try to run the second set of commands:

You need a "deny" because only then that traffic will be "denied" from being inspected and then blocked when going to facebook.

class-map type inspect http match-any block-url-class

match request header host regex blockfb

Where does it give you the invalid input detected?  You would see a ^ where do you see that? Pls. get on CLI and do a conf t and copy and paste these lines and copy and paste the output that you are seeing. I added a sample in this document a while ago. See if this helps you.

https://supportforums.cisco.com/docs/DOC-1268#Same_domain_allowdeny

-KS

Thanks for the response - the document you attached is the exact one that I am using.  When I am connected via CLI, I am running under the enabled configuration.  Is this correct?  Also, I am using Putty and SSH.  Should I be connecting a different way?

Here is the response I receive:

ciscoasa(config)# class-map type inspect http match-any block-url-class

                                                                                                           ^

ERROR: % Invalid input detected at '^' marker.

jrennard3
Level 1
Level 1

Seems that the forum formatted my error incorrectly - the '^' is actually right under the 'b' in 'block-ur

l-class'.

I added the very last section in that link. I didn't have a problem when I copied and pasted the line that gave you trouble.

Anyway the below is what you need. You can pretty much copy and paste the below lines. Let me know if this works to block facebook except for this IP add 10.10.2.100.

access-list user-acl extended deny tcp host 10.10.2.100 any eq www

access-list user-acl extended permit tcp any any eq www

regex block-fb ".*facebook\.com"
class-map type regex match-any block-fb
   match regex block-fb

policy-map type inspect http http-inspect-pol
   parameters
match request header host regex class block-fb
    reset log

class-map http-class
   match access-list user-acl

policy-map http-traffic
   class http-class
    inspect http http-inspect-pol
!
service-policy http-traffic interface inside

-KS

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: