02-07-2011 11:05 AM - edited 03-11-2019 12:46 PM
Can someone help me with a basic config to filter like cisco.com (or any of its pages) using a 5505? I am trying to *block* this site. Here is what I had from the URL filtering howto:
!
class-map inspection_default
match default-inspection-traffic
class-map type inspect http match-any block-url-class
match request header host regex block1
!
!
policy-map type inspect http block-url-policy
parameters
class block-url-class
drop-connection log
policy-map global_policy
class inspection_default
inspect http block-url-policy
!
service-policy global_policy global
I got an error initially about there being no inspection_default class so im not sure if I recreated it correctly/completely...
thanks!
Solved! Go to Solution.
02-07-2011 11:29 AM
this is a configuration I have tested:
regex block-url ".\myspace.\com"
class-map type regex match-any cm-block-url
match regex block-url
policy-map type inspect http pm-block-url
parameters
match request header host regex class cm-block-url
drop-connection log
policy-map global_policy
class inspection_default
inspect http pm-block-url
service-policy global_policy global
02-07-2011 11:07 AM
can you paste the show run regex, show run class-map and show run policy-map?
02-07-2011 11:08 AM
this link provides a good explanation:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940e04.shtml
02-07-2011 11:29 AM
this is a configuration I have tested:
regex block-url ".\myspace.\com"
class-map type regex match-any cm-block-url
match regex block-url
policy-map type inspect http pm-block-url
parameters
match request header host regex class cm-block-url
drop-connection log
policy-map global_policy
class inspection_default
inspect http pm-block-url
service-policy global_policy global
02-09-2011 08:45 AM
Thanks Paul, I am trying your config but where you have:
class inspection_default
inspect http pm-block-url
I do not see an "inspect" command to issue "inspect http"?
02-09-2011 08:51 AM
clas inspectio_default comes by default on the ASA. In case you don't have it then you could add it manually. Here are the missing lines:
class-map inspection_default
match default-inspection-traffic
02-09-2011 12:58 PM
you:
regex block-url ".\myspace.\com"
class-map type regex match-any cm-block-url
match regex block-url
policy-map type inspect http pm-block-url
parameters
match request header host regex class cm-block-url
drop-connection log
policy-map global_policy
class inspection_default
inspect http pm-block-url
service-policy global_policy global
me (testing with pandora):
regex block1 ".\pandora.\com"
class-map inspection_default
match default-inspection-traffic
class-map type regex match-any block-url-class
match regex block1
!
!
policy-map type inspect http block-url-policy
parameters
match request header host regex class block-url-class
drop-connection log
policy-map global_policy
class inspection_default
inspect http block-url-policy
!
service-policy global_policy global
don't the !s indicate incomplete configurations? Do you have those in your config? If this looks good to you (looks good to me) I guess I am going to have to verify the user is testing from the right location..
02-09-2011 01:05 PM
it doesn't mean incomplete.
Go ahead and test. It looks good your config.
02-10-2011 12:42 PM
tried it on an ASA here and it worked like a charm, client finally got back to me and said he was testing from another site Thanks for your help! On a side note...if they ping the URL (and resolve the IP) and use the IP in their web browser they get around this...is there a way to do DNS filtering so that requests or responses for a given string are blocked?
02-10-2011 01:09 PM
I am glad to hear that it worked. You can always block the IP for the unwanted websites but IPs usually change. If you want a better URL filtering mechanism you should consider the CSC-SSM for the ASA but in this case it will not work on you ASA 5505.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide