12-27-2010 10:10 AM - edited 03-11-2019 12:28 PM
Hello - I'm a complete novice when it comes to configuring via the command line, but I am trying my best to learn. We have a Cisco ASA 5505 and would like to configure it using a Cisco provided solution for URL filtering. At this moment we only have one URL that we need to filter, but access needs to be permitted for certain computers and disallowed for the rest.
The commands that were give are as follows:
regex blockex1 "facebook\.com"
access-list user-acl extended deny tcp host 10.10.2.100 any eq www
access-list user-acl extended permit tcp any any eq www
class-map type inspect http match-any block-url-class
match request header host regex blockfb
class-map block-user-class
match access-list user-acl
policy-map type inspect http block-url-policy
parameters
class block-url-class
drop-connection
policy-map block-user-url-policy
class block-user-class
inspect http block-url-policy
service-policy block-user-url-policy interface inside
First - I don't understand why they would put the IP that should be allowed to access the restricted URL in a access list labeled as 'deny'. Secondly, when I try to run the second set of commands:
class-map type inspect http match-any block-url-class
match request header host regex blockfb
They will not run via command line or via the CLI in ASDM. It gives me unrecognized or invalid input detected error. The second class-map command ran perfectly fine.
I suppose a problem of mine may be that I do not understand how to handle the indentation of commands. For example, we have
class-map type inspect http match-any block-url-class
match request header host regex blockfb
Do I need to enter each line individually or is the 'match...' line supposed to be immediately following the first line on the same command line?
If you are able to help in any way it would be greatly appreciated. Thanks!
12-27-2010 10:26 AM
First - I don't understand why they would put the IP that should be allowed to access the restricted URL in a access list labeled as 'deny'. Secondly, when I try to run the second set of commands:
You need a "deny" because only then that traffic will be "denied" from being inspected and then blocked when going to facebook.
class-map type inspect http match-any block-url-class
match request header host regex blockfb
Where does it give you the invalid input detected? You would see a ^ where do you see that? Pls. get on CLI and do a conf t and copy and paste these lines and copy and paste the output that you are seeing. I added a sample in this document a while ago. See if this helps you.
https://supportforums.cisco.com/docs/DOC-1268#Same_domain_allowdeny
-KS
12-27-2010 10:35 AM
Thanks for the response - the document you attached is the exact one that I am using. When I am connected via CLI, I am running under the enabled configuration. Is this correct? Also, I am using Putty and SSH. Should I be connecting a different way?
Here is the response I receive:
ciscoasa(config)# class-map type inspect http match-any block-url-class
^
ERROR: % Invalid input detected at '^' marker.
12-27-2010 10:42 AM
Seems that the forum formatted my error incorrectly - the '^' is actually right under the 'b' in 'block-ur
l-class'.
12-27-2010 10:50 AM
I added the very last section in that link. I didn't have a problem when I copied and pasted the line that gave you trouble.
Anyway the below is what you need. You can pretty much copy and paste the below lines. Let me know if this works to block facebook except for this IP add 10.10.2.100.
access-list user-acl extended deny tcp host 10.10.2.100 any eq www
access-list user-acl extended permit tcp any any eq www
regex block-fb ".*facebook\.com"
class-map type regex match-any block-fb
match regex block-fb
policy-map type inspect http http-inspect-pol
parameters
match request header host regex class block-fb
reset log
class-map http-class
match access-list user-acl
policy-map http-traffic
class http-class
inspect http http-inspect-pol
!
service-policy http-traffic interface inside
-KS
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide