Solved: Re: URL Filtering

Janardhan Meesala · ‎03-06-2011

Dear Support-Team,

I had ASA-CSC-10-PLUS device and i want to implement URL filtering.

Will give me example CLI configuration guide.

How to filter URLs with regular expressions.

Will you give me example documentation for all these????

How many URLs will blocl ASA noramally?????

And Finally, Will you give me example for blocking " facebook" website..

Thanks in Advance,

Regards,

MJR

Maykol Rojas · ‎03-07-2011

Hi,

Yes of course there is a chance to do it without the CSC, I put an example to block youtube, myspace and yahoo. Let me The regex configuration that I did is on the ASA and not on the CSC.

Let me know if you have questions!

Mike

View solution in original post

Maykol Rojas · ‎03-07-2011

Hi,

Excellent question, on the Link

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808dea62.shtml

There is a part where it exaplains how to send traffic to the CSC module,

access-list csc-acl permit tcp any any eq www

access-list csc-acl permit tcp any any eq smtp

access-list csc-acl permit tcp any any eq pop3

class-map csc-class

match access-list csc-acl

policy-map global_policy

class csc-class

csc fail-open

If you want to exclude people from being scanned you can just put a deny on the csc-acl, for example

access-list csc-acl line 1 deny tcp host x.x.x.x any eq www

That way the traffic from host x.x.x.x wont be inspected on port 80 by the CSC module.

I hope you catch it, if you have any questions let me know.

Mike

View solution in original post

Maykol Rojas · ‎03-06-2011

Hello,

Your ASA seems to have a CSC module, so no CLI configuration is needed on the ASA firewall in order to block url sites (Only if you plan to use regex, but if you are using the module there is no need for that).

Here is the configuration guide for the CSC module, how to redirect the traffic to the Content filtering

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808dea62.shtml

You will find examples of how to block URLs and how to filter URLs, plus how to restrict files in FTP and so on with the capabilities of the module per se.

Since you are using this CSC module, there is no need to block urls using regular expresions, however, here is a quick example:

Layer 7 class map configuration

regex domainlist1 "\.yahoo\.com"

regex domainlist2 "\.myspace\.com"

regex domainlist3 "\.youtube\.com"

class-map type regex match-any DomainBlockList

match regex domainlist1

match regex domainlist2

match regex domainlist3

class-map type inspect http match-all BlockDomainsClass

match request header host regex class DomainBlockList

class-map httptraffic

match access-list inside_mpc

policy-map type inspect http http_inspection_policy

class BlockDomainsClass

reset log

L3/4 class maps and Policy maps

access-list inside_mpc extended permit tcp any any eq www

access-list inside_mpc extended permit tcp any any eq 8080

class-map httptraffic

match access-list inside_mpc

policy-map inside-policy

class httptraffic

inspect http http_inspection_policy

service-policy inside-policy interface inside

If you see, we are looking for the host field on the header where normally the name of the url is located.In that example, yahoo, myspace and youtube are going to be dropped. For reference you can go to the following link:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940c5a.shtml

Locally, the ASA is limited to a 100 urls, please refer to the TAC security podcast episode 13, filtering http

services

http://www.cisco.com/en/US/solutions/ns170/tac/security_tac_podcasts.html

The example for youtube and yahoo will help you to create the one for facebook. Keep in mind that if the packet

comes encrypted (HTTPS) the way to go would be filtering the DNS request.

Hope it helps

Mike

Janardhan Meesala · ‎03-07-2011

Hi Mike,

Thanks for quick response.

Here I had one query that is why no need regex if using CSC module.

Is it possible to do URL filtering wthout CSC module i.e standalone ASA

5510.

I studied for doing URL filtering CSC module is needed with PLUS license.

Regards,

MJR

On Mon, Mar 7, 2011 at 12:30 PM, mayrojas <

Janardhan Meesala · ‎03-07-2011

Hi Mike,

Thanks for quick response.

Here I had one query that is why no need regex if using CSC module.

Is it possible to do URL filtering wthout CSC module i.e standalone ASA

5510.

I studied for doing URL filtering CSC module is needed with PLUS license.

Regards,

MJR

Janardhan Meesala · ‎03-07-2011

Hi,

Here I had one query that is why no need regex if using CSC module.

Is it possible to do URL filtering wthout CSC module i.e standalone ASA

5510.

I studied for doing URL filtering CSC module is needed with PLUS license.

Regards,

MJR

Maykol Rojas · ‎03-07-2011

Hi,

Yes of course there is a chance to do it without the CSC, I put an example to block youtube, myspace and yahoo. Let me The regex configuration that I did is on the ASA and not on the CSC.

Let me know if you have questions!

Mike

Janardhan Meesala · ‎03-07-2011

Hi Mike,

Thanks for your respone and i got clarrified now.

Finally one more query i.e i am implementing secured LAN with ASA

5510-CSC-10-PLUS and i implemented all Content Filtering, URL blocking ,

File blocking and FTP filtering for all users.

Here i need to to give full permissions to the specific users(

Administrators).

How to do this????

Regards,

MJR

On Tue, Mar 8, 2011 at 10:05 AM, mayrojas <

Maykol Rojas · ‎03-07-2011

Hi,

Excellent question, on the Link

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808dea62.shtml

There is a part where it exaplains how to send traffic to the CSC module,

access-list csc-acl permit tcp any any eq www

access-list csc-acl permit tcp any any eq smtp

access-list csc-acl permit tcp any any eq pop3

class-map csc-class

match access-list csc-acl

policy-map global_policy

class csc-class

csc fail-open

If you want to exclude people from being scanned you can just put a deny on the csc-acl, for example

access-list csc-acl line 1 deny tcp host x.x.x.x any eq www

That way the traffic from host x.x.x.x wont be inspected on port 80 by the CSC module.

I hope you catch it, if you have any questions let me know.

Mike

Janardhan Meesala · ‎03-07-2011

Hi Mike,

Thanks for your response...

Here i want send my administrator traffic to the CSC where i want to do

configure everything(Content filtering, anto-spam) except URL blocking.

i think uderstood my problem.

And Finally, after entering licenses to my firewall how to take back-up of

licenses info for future reference.. Is it enoug to take sh run backup????

Regards,

MJR

On Tue, Mar 8, 2011 at 11:03 AM, mayrojas <

Janardhan Meesala · ‎03-08-2011

Thanks for your response...

Here i want send my administrator traffic to the CSC where i want to do

configure everything(Content filtering, anto-spam) except URL blocking.

i think uderstood my problem.

And Finally, after entering licenses to my firewall how to take back-up of

licenses info for future reference.. Is it enoug to take sh run backup????

Regards,

MJR

Pavel Pokorny · ‎03-06-2011

Hi,

Few days ago I've found this nice document:

https://supportforums.cisco.com/docs/DOC-1268

HTH

Pavel