cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8222
Views
7
Helpful
6
Replies

URL Filtering on ASA with RegEx, but getting unexpected results

abrrymnvette
Level 1
Level 1

I'm trying to block access to dropbox.com on our ASA5510. I have it setup and it blocks dropbox.com just fine. But it is also blocking google.com. I can't figure out why.

Here's my config. When it blocks google, it blocks it with the

terminated by inspection engine, reason - disconnected, dropped packet.

           

regex Block_Dropbox "\.dropbox\.com"

access-list URL_Filtering extended permit tcp any any eq www

access-list URL_Filtering extended permit tcp any any eq https

class-map type regex match-any Block_Domains

match regex Block_Dropbox

class-map type inspect http match-all Block_These_Domains

match request header host regex class Block_Domains

class-map inspection_default

match default-inspection-traffic

class-map httptraffic

match access-list URL_Filtering

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map type inspect http http_inspection_policy

parameters

protocol-violation action drop-connection

class Block_These_Domains

drop-connection

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

policy-map inside-policy

class httptraffic

inspect http http_inspection_policy

service-policy global_policy global

service-policy inside-policy interface inside

6 Replies 6

jocamare
Level 4
Level 4

Let's try it the easy way:

regex dropbox "\dropbox\.com"

class-map type inspect http match-any block-url-class 

match request header host regex dropbox

policy-map type inspect http block-url-policy 

parameters 

  class block-url-class  

   drop-connection log

policy-map global_policy 

class inspection_default  

inspect http block-url-policy

That works for dropbox.com, but when I use https://www.dropbox.com I can still get through.

Julio Carvajal
VIP Alumni
VIP Alumni

Hello,

Why matching HTTPS in the ACL if this is an HTTP inspection?

Please just use the HTTP protocol on the ACL and give it a try ( clear local-host ) before the test

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Because if if I use https, I can still get to the website.

Encrypted traffic, end of the road.

The ASA won't be able to see the request on the HTTP request, so it won't block it.

The CSC module is a good partner in crime when blocking HTTPS on the ASA.

But, we don't always have a spare CSC to use, so, here's something you can try:

You can block HTTPS by dropping the DNS request.

For this to work properly the DNS request for resolving the  ip of HTTPS URL must go through ASA which means if user and it's DNS  server both are behind same interface of ASA then this would not work.  As we are dropping the blocked web-site request during it's DNS  resolution Request.

As this solution works based on dropping the DNS server reply  thereby this does not only block HTTPS but any other kind of traffic as  well (HTTP, FTP, etc.) where the user accesses a server using its name  and hence has to perform a DNS query.

What to do:

HTTPS websites use a SSL tunnel from the end device to the end  server, so the firewall isn’t capable of inspecting the SSL traffic. So  Instead of using URL inspection, we can configure DNS inspection.

The ASA inspects the DNS request from the internal DNS server or end  device to the external DNS server. We can use regular expressions to  match the FQDN of a website. Below is an example configuration of  blocking access to the website (and applications using a DNS entry to  this website) facebook.com

    regex domain_facebook.com “\.facebook\.com”

    !

    class-map type regex match-any DomainBlockList

    match regex domain_facebook.com

    !

    policy-map type inspect dns Pol-DNS-inspect

    parameters

    message-length maximum 512

    match domain-name regex class DomainBlockList

    drop-connection log

    !

    policy-map global_policy

    class inspection_default

    inspect dns Pol-DNS-inspect

    !

    service-policy global_policy global

A problem with this approach could be the DNS cache on the internal  DNS server. This is domain name is queried before configuring the  inspection, the domain will be available until the DNS cache from the  DNS server expires. In urgent situation you can maybe clear the DNS  cache yourself.

Also...

You can use FQDN along with Access-lists so the DNS request doesn't have to go through the ASA.

Review Cisco Networking for a $25 gift card