Hi Alain,

Thank you very much.

I wish I could get a one-on-one chat with you to resolve some minor issues, will be highly appreciated.

Thank you.

Hi,

no problem send me a PM.

Regards.

Alain

Don't forget to rate helpful posts.

Hi Alain,

I am a regular visitor and a member of Cisco support forum. I have seen many of your replies to users Query. You are doing a great Job....

Thanks

Roopesh

Hi Rupesh,

Thanks 

Regards.

Alain

Hi Paul,

send me all details by PM or mail. I'm only able to do this in the evening post 8 PM CET time +2

Regards.

Alain

Don't forget to rate helpful posts.

Hello cadet,

is there available any option for "blocking unwanted URL" with HTTPS traffic with "only" IOS ?

Hi,

I think it shall also work for HTTPS.The only thing won't be able to do is inspect the payload though as it is encrypted.

Regards.

Alain

Don't forget to rate helpful posts.

Hello Cadet,

no this configuration do NOT work for the httpS traffic (you can only block http traffic).

Hi roberto,

thanks for the info, i hadn't tried it before and couldn't find the information so that's why i was supposing it would work.

I found this:

HTTPS Establishes an underlying SSL conenction before any HTTP data is   transferred. This ensures that all URL data (with the exception of   hostname, which is used to establish the connection) is carried solely   within this encrypted connection and is protected from   man-in-the-middle attacks in the same way that any HTTPS data is.

So only the host field is not encrypted, I learned something new today.

Regards.

Alain

Don't forget to rate helpful posts.

I presume that:

1st) on IOS it is NOT possible to filter FQDN/URL HTTPS traffic

1 the DNS query or DNS-SEC answer

2 the Client Hello

TLS handshake occurs long before any HTTP traffic.

http://www.moserware.com/2009/06/first-few-milliseconds-of-https.html

2nd) on latest ASA os it's "possible" using "FQDN access-lists":

https://supportforums.cisco.com/docs/DOC-17014

3rd) using latest ASA CX module      

Q.

Can ASA CX decrypt TLS/SSL or SSH traffic for inspection?

A. At initial release, ASA CX will be able to decrypt TLS/SSL. Decryption of SSH will be enabled in a future release. ASA CX will decrypt HTTPS traffic to identify encrypted applications. This decryption can be intelligently performed based on rich context parameters such as source (user, subnet), destination (FQDN, web category, subnet), and reputation of the destination servers.

Hi Alain,

Is there an exception for this rule? for instance, I have blocked the "FACEBOOK.COM" site, but I want to allow an individual ip, (10.10.10.23) to access the page FACEBOOK.com, how do I do that?

Thank you

Hi,

try this:

ip access-list extended block-exemption

permit ip host 10.10.10.23 any

class-map match-all BLOCK_EXEMPTION

match  access-group name block-exemption

class-map match-all BLOCKED

match not class-map BLOCK-EXEMPTION

match protocol http host "*facebook.com"

policy-map BLOCK

class BLOCKED

drop

interface vlan 1

service-policy input BLOCK

Regards.

Alain

Don't forget to rate helpful posts.

Hi Alain,

I config this router fine on saturday, but switching it on, my PCs cannot logon to the network, they are all point to "unidentified network" what else have I done wrong?

income(config)#exit

income#sh run

Building configuration...

Current configuration : 3490 bytes

!

! Last configuration change at 08:14:49 UTC Mon Oct 8 2012

! NVRAM config last updated at 08:10:29 UTC Mon Oct 8 2012

! NVRAM config last updated at 08:10:29 UTC Mon Oct 8 2012

version 15.1

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname income

!

boot-start-marker

boot-end-marker

!

!

logging buffered 51200

logging console critical

enable secret 5 $1$K/Wt$MOaWnBNOE9rLay.m8Sh4a.

enable password 7 151B050F0B272E76

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication enable default none

aaa authentication ppp default local

!

!

!

!

!

aaa session-id common

!

!

no ipv6 cef

no ip source-route

ip cef

!

!

!

ip dhcp excluded-address 10.10.10.1 10.10.10.39

!

ip dhcp pool users

network 10.10.10.0 255.255.255.0

default-router 10.10.10.1

dns-server 217.117.0.38 10.10.10.244

!

!

no ip bootp server

ip domain name incomeelectrix

ip name-server 217.117.0.38

ip name-server 10.10.10.244

!

multilink bundle-name authenticated

!

crypto pki token default removal timeout 0

!

!

license udi pid CISCO1941/K9 sn FCZ1633716L

license boot module c1900 technology-package securityk9

license boot module c1900 technology-package datak9

!

!

username income privilege 15 secret 4 HSyp0yWKpXLGNBvuMAwswNaIjZOwIZdQsd4T3M2hSo

A

!

redundancy

!

!

!

!

ip tcp synwait-time 10

!

class-map match-any BLOCKED

match protocol http host "*facebook.com"

match protocol http host "*youtube.com"

!

!

policy-map BLOCK

class BLOCKED

  drop

!

!

!

!

!

!

!

!

interface Embedded-Service-Engine0/0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

shutdown

!

interface GigabitEthernet0/0

description $ES_LAN$$ETH-LAN$

ip address 10.10.10.1 255.255.255.0

ip helper-address 10.10.10.1

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

no mop enabled

service-policy input BLOCK

!

interface GigabitEthernet0/1

description $ES_WAN$$ETH-WAN$

ip address 41.75.205.190 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

no mop enabled

!

!

router eigrp 109

network 10.0.0.0

network 41.0.0.0

!

router rip

version 2

network 10.0.0.0

network 41.0.0.0

no auto-summary

!

ip default-gateway 41.75.205.189

ip forward-protocol nd

!

ip http server

ip http authentication local

no ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat pool overld 41.75.205.190 41.75.205.190 prefix-length 24

ip nat inside source list 7 pool overld overload

ip route 0.0.0.0 0.0.0.0 41.75.205.189

!

logging trap debugging

access-list 7 permit 10.10.10.0 0.0.0.255

access-list 199 permit icmp any any

!

no cdp run

!

!

!

!

snmp-server community public RO

!

!

!

control-plane

!

!

banner login ^CWelcome to Incomeelectrix.^C

!

line con 0

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

privilege level 15

password 7 11001706181F0E5D

transport input telnet ssh

transport output telnet ssh

line vty 5 15

privilege level 15

transport input telnet ssh

transport output telnet ssh

!

scheduler allocate 20000 1000

end

income#