Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1232
Views
20
Helpful
9
Replies

URL filtering on 5505?

Go to solution
slug420
Level 1
Level 1

‎02-07-2011 11:05 AM - edited ‎03-11-2019 12:46 PM

Can someone help me with a basic config to filter like cisco.com (or any of its pages) using a 5505?  I am trying to *block* this site.  Here is what I had from the URL filtering howto:

!
class-map inspection_default
match default-inspection-traffic
class-map type inspect http match-any block-url-class
match request header host regex block1
!
!
policy-map type inspect http block-url-policy
parameters
class block-url-class
  drop-connection log
policy-map global_policy
class inspection_default
  inspect http block-url-policy
!
service-policy global_policy global

I got an error initially about there being no inspection_default class so im not sure if I recreated it correctly/completely...

thanks!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
PAUL GILBERT ARIAS
Level 5
Level 5

‎02-07-2011 11:29 AM

this is a configuration I have tested:

regex block-url ".\myspace.\com"

class-map type regex match-any cm-block-url

match regex block-url

policy-map type inspect http pm-block-url

parameters

match request header host regex class cm-block-url

  drop-connection log

policy-map global_policy

class inspection_default

  inspect http pm-block-url

service-policy global_policy global

View solution in original post

0 Helpful
9 Replies 9

Go to solution
PAUL GILBERT ARIAS
Level 5
Level 5

‎02-07-2011 11:07 AM

can you paste the show run regex, show run class-map and show run policy-map?

Go to solution
PAUL GILBERT ARIAS
Level 5
Level 5

‎02-07-2011 11:29 AM

this is a configuration I have tested:

regex block-url ".\myspace.\com"

class-map type regex match-any cm-block-url

match regex block-url

policy-map type inspect http pm-block-url

parameters

match request header host regex class cm-block-url

  drop-connection log

policy-map global_policy

class inspection_default

  inspect http pm-block-url

service-policy global_policy global

0 Helpful

Go to solution
slug420
Level 1
Level 1
In response to PAUL GILBERT ARIAS

‎02-09-2011 08:45 AM

Thanks Paul, I am trying your config but where you have:

class inspection_default

  inspect http pm-block-url

I do not see an "inspect" command to issue "inspect http"?

0 Helpful

Go to solution
PAUL GILBERT ARIAS
Level 5
Level 5
In response to slug420

‎02-09-2011 08:51 AM

clas inspectio_default comes by default on the ASA. In case you don't have it then you could add it manually. Here are the missing lines:

class-map inspection_default

match default-inspection-traffic

then make sure you add the rest of the commands I suggested.

Go to solution
slug420
Level 1
Level 1
In response to PAUL GILBERT ARIAS

‎02-09-2011 12:58 PM

you:

regex block-url ".\myspace.\com"

class-map type regex match-any cm-block-url

match regex block-url

policy-map type inspect http pm-block-url

parameters

match request header host regex class cm-block-url

  drop-connection log

policy-map global_policy

class inspection_default

  inspect http pm-block-url

service-policy global_policy global

me (testing with pandora):

regex block1 ".\pandora.\com"

class-map inspection_default
match default-inspection-traffic

class-map type regex match-any block-url-class
match regex block1
!
!
policy-map type inspect http block-url-policy
parameters
match request header host regex class block-url-class
  drop-connection log
policy-map global_policy
class inspection_default
  inspect http block-url-policy
!
service-policy global_policy global


don't the !s indicate incomplete configurations?  Do you have those in your config?  If this looks good to you (looks good to me) I guess I am going to have to verify the user is testing from the right location..

0 Helpful

Go to solution
PAUL GILBERT ARIAS
Level 5
Level 5
In response to slug420

‎02-09-2011 01:05 PM

it doesn't mean incomplete.

Go ahead and test. It looks good your config.

Go to solution
slug420
Level 1
Level 1
In response to PAUL GILBERT ARIAS

‎02-10-2011 12:42 PM

tried it on an ASA here and it worked like a charm, client finally got back to me and said he was testing from another site   Thanks for your help!  On a side note...if they ping the URL (and resolve the IP) and use the IP in their web browser they get around this...is there a way to do DNS filtering so that requests or responses for a given string are blocked?

0 Helpful

Go to solution
PAUL GILBERT ARIAS
Level 5
Level 5
In response to slug420

‎02-10-2011 01:09 PM

I am glad to hear that it worked. You can always block the IP for the unwanted websites but IPs usually change. If you want a better URL filtering mechanism you should consider the CSC-SSM for the ASA but in this case it will not work on you ASA 5505.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card