Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1108
Views
5
Helpful
7
Replies

URLs filtering problemes ASA 5510

Go to solution
iliass joudat
Level 1
Level 1

‎10-21-2012 04:25 PM - edited ‎03-11-2019 05:12 PM

hi everybody

i use ASA 5510 and i want to block some urls :

192.168.2.70 to 79 allow every thing

192.168.2.80  to 89 : block facebook , myspace, twiter,

192.168.2.90  to 99 : block facebook , myspace, twiter,  youtube , dailymotion

192.168.2.100 to 199 deny everting

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to iliass joudat

‎10-21-2012 06:32 PM

Here we go:

regex domainFacebook "\.facebook\.com"

regex domainMyspace "\.myspace\.com"

regex domainTwitter "\.twitter\.com"

regex domainYoutube "\.youtube\.com"

regex domainDailymotion "\.dailymotion\.com"

class-map type regex match-any block-for-80-to-89

   match regex domainFacebook

   match regex domainMyspace

   match regex domainTwitter

class-map type regex match-any block-for-90-to-99

   match regex domainFacebook

   match regex domainMyspace

   match regex domainTwitter

   match regex domainYoutube

   match regex domainDailymotion

class-map type inspect http match-all block-80-89-class

  match request header host regex class block-for-80-to-89

class-map type inspect http match-all block-90-99-class

  match request header host regex class block-for-90-to-99

access-list match-80-89-acl permit tcp 192.168.2.80 255.255.255.248 any eq 80

access-list match-80-89-acl permit tcp 192.168.2.88 255.255.255.254 any eq 80

access-list match-90-99-acl permit tcp 192.168.2.90 255.255.255.254 any eq 80

access-list match-90-99-acl permit tcp 192.168.2.92 255.255.255.252 any eq 80

access-list match-90-99-acl permit tcp 192.168.2.96 255.255.255.252 any eq 80

class-map httptraffic80-89

  match access-list match-80-89-acl

class-map httptraffic90-99

  match access-list match-90-99-acl

policy-map type inspect http http_inspection_policy_80-89

class block-80-89-class

  reset log

policy-map type inspect http http_inspection_policy_90-99

class block-90-99-class

  reset log

policy-map inside-policy

class httptraffic80-89

  inspect http http_inspection_policy_80-89

class httptraffic90-99

  inspect http http_inspection_policy_90-99

service-policy inside-policy interface inside

Please kindly be advised that this is only for HTTP (not for HTTPS, as HTTPS is encrypted so it won't see the URL, therefore it can't be blocked).

On the inside ACL that is applied to the inside interface, you would also need to add the following:

access-list permit tcp 192.168.2.70 255.255.255.254 any eq 80

access-list permit tcp 192.168.2.72 255.255.255.248 any eq 80

access-list permit tcp 192.168.2.80 255.255.255.240 any eq 80

access-list permit tcp 192.168.2.96 255.255.255.252 any eq 80

access-list deny tcp 192.168.2.100 255.255.255.252 any eq 80

access-list deny tcp 192.168.2.104 255.255.255.248 any eq 80

access-list deny tcp 192.168.2.112 255.255.255.240 any eq 80

access-list deny tcp 192.168.2.128 255.255.255.192 any eq 80

access-list deny tcp 192.168.2.192 255.255.255.248 any eq 80

access-list permit ip any any

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎10-21-2012 05:20 PM

Duplicate post.

Here is the same answer from the other post:

Here is a sample configuration that you can follow to block URLs using regular expressions:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940e04.shtml

Hope that helps.

Go to solution
iliass joudat
Level 1
Level 1
In response to Jennifer Halim

‎10-21-2012 05:43 PM

Hi Jennifer

thank you for your reply, however, I have already seen this aricle and I have followed the steps, but I want to block all IP address of my networks, can you give me more specific

thank you

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to iliass joudat

‎10-21-2012 06:32 PM

Here we go:

regex domainFacebook "\.facebook\.com"

regex domainMyspace "\.myspace\.com"

regex domainTwitter "\.twitter\.com"

regex domainYoutube "\.youtube\.com"

regex domainDailymotion "\.dailymotion\.com"

class-map type regex match-any block-for-80-to-89

   match regex domainFacebook

   match regex domainMyspace

   match regex domainTwitter

class-map type regex match-any block-for-90-to-99

   match regex domainFacebook

   match regex domainMyspace

   match regex domainTwitter

   match regex domainYoutube

   match regex domainDailymotion

class-map type inspect http match-all block-80-89-class

  match request header host regex class block-for-80-to-89

class-map type inspect http match-all block-90-99-class

  match request header host regex class block-for-90-to-99

access-list match-80-89-acl permit tcp 192.168.2.80 255.255.255.248 any eq 80

access-list match-80-89-acl permit tcp 192.168.2.88 255.255.255.254 any eq 80

access-list match-90-99-acl permit tcp 192.168.2.90 255.255.255.254 any eq 80

access-list match-90-99-acl permit tcp 192.168.2.92 255.255.255.252 any eq 80

access-list match-90-99-acl permit tcp 192.168.2.96 255.255.255.252 any eq 80

class-map httptraffic80-89

  match access-list match-80-89-acl

class-map httptraffic90-99

  match access-list match-90-99-acl

policy-map type inspect http http_inspection_policy_80-89

class block-80-89-class

  reset log

policy-map type inspect http http_inspection_policy_90-99

class block-90-99-class

  reset log

policy-map inside-policy

class httptraffic80-89

  inspect http http_inspection_policy_80-89

class httptraffic90-99

  inspect http http_inspection_policy_90-99

service-policy inside-policy interface inside

Please kindly be advised that this is only for HTTP (not for HTTPS, as HTTPS is encrypted so it won't see the URL, therefore it can't be blocked).

On the inside ACL that is applied to the inside interface, you would also need to add the following:

access-list permit tcp 192.168.2.70 255.255.255.254 any eq 80

access-list permit tcp 192.168.2.72 255.255.255.248 any eq 80

access-list permit tcp 192.168.2.80 255.255.255.240 any eq 80

access-list permit tcp 192.168.2.96 255.255.255.252 any eq 80

access-list deny tcp 192.168.2.100 255.255.255.252 any eq 80

access-list deny tcp 192.168.2.104 255.255.255.248 any eq 80

access-list deny tcp 192.168.2.112 255.255.255.240 any eq 80

access-list deny tcp 192.168.2.128 255.255.255.192 any eq 80

access-list deny tcp 192.168.2.192 255.255.255.248 any eq 80

access-list permit ip any any

0 Helpful

Go to solution
iliass joudat
Level 1
Level 1
In response to Jennifer Halim

‎10-21-2012 06:38 PM

am not front of my asa right now , am gona to use your config  tomorrow  and am go back to you

thinks a lot for your help

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to iliass joudat

‎10-21-2012 06:39 PM

No problem, let us know how it goes tomorrow.

0 Helpful

Go to solution
iliass joudat
Level 1
Level 1
In response to Jennifer Halim

‎10-26-2012 06:35 AM

hi jennifer ;

thinks a lot for your support

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to iliass joudat

‎10-26-2012 06:41 AM

No problem...

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card