Solved: Re: Block Youtube.com Websites (URLs) Using Regular Expressions With MPF Configuration failure

WillCai · ‎12-20-2017

I am try to follow the article "ASA/PIX 8.x: Block Certain Websites (URLs) Using Regular Expressions With MPF Configuration Example"to block Youtube.com. The yahoo and myspace are block successfully. However, the Youtube.com still can access. I just double check the code, but did not see any problem. The attachment is the configuration. Please some one can help we with that.

Francesco Molino · ‎12-29-2017

Go on asa and do the following command:
packet-tracer input inside tcp 10.1.10.63 12345 fqdn www.youtube.com 80

And do the same command but replace 80 by 443.

Paste the output of both commands in a text file please.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Francesco Molino · ‎12-20-2017

Hi

The config looks like correct. Regex solution was great but only working for http and not https.
If you don't have any FTD licenses, then have you tried configuring ASA using fqdn, like:
object network Youtube
fqdn youtube.com
!
access-list inside_access_in extended deny ip any object Youtube

To work, you'll need to configure dns domain-lookup and you already have it on your config.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

WillCai · ‎12-20-2017

Hi Francesco,

Thanks for your response, I do try to configure FQDN. However, It still no working. The attachment is the full configuration and show command.

Sincerely,

Shuzhou Cai

Francesco Molino · ‎12-20-2017

You don't need all:
dns domain-lookup outside
dns domain-lookup backup
dns domain-lookup Lawyer
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 8.8.4.4
domain-name google.com
dns server-group defaultDNS
name-server 208.67.220.220 outside
name-server 8.8.4.4 backup
name-server 208.67.222.222 outside
name-server 8.8.8.8 backup
name-server 75.75.75.75 Lawyer
name-server 75.75.74.74 Lawyer

Just configure the group DefaultDNS.
The youtube ace is on line 4 and that's ok as it will be mostly https, but i would switch it at the 1st position. It won't change anything in terms of working/not working.
You said it's not working but I see some hitcount for that rule (hitcnt=3)

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

WillCai · ‎12-21-2017

Dear Francesco,

I just deleted all you point out the command and just configure one group DefaultDNS. However, the website still can access. By the way, I also move the access-list to 1st position. The attachment is the configuration file.

Thanks

Will

Francesco Molino · ‎12-21-2017

You forgot the line: dns domain-lookup outside

After you added it, can you do a test and give the output of sh access-list.

On my previous answer, I saw that the rule to deny access was hitted few times and that means it should work.
How are you testing it? Also for regex rule, are you testing by typing http:// or https:// ?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

WillCai · ‎12-28-2017

Hi,

I just deny all the 80 and 443 port since I didn't find out the way to block some website. Now I try to use the FQDN to permit some website instead. I do follow you suggest, but it still not succeed. The attachment is the configuration and show access-list.

BTW, I was abandoning the Regular Expressions function since it can not working to HTTPS.

Thanks,

Will cai

Francesco Molino · ‎12-28-2017

Ok, I've a quick test by allowing everything except youtube:

object network Youtube

fqdn www.youtube.com

!

access-list inside_in extended deny ip any object Youtube

access-list inside_in extended permit ip any any

!

When I ping a website I get an answer but when I try to access youtube.com I get denied:

Deny icmp src inside:192.168.200.2 dst outside:172.217.13.174(www.youtube.com) (type 8, code 0) by access-group "inside_in" [0xcd241c70, 0xcd241c70]

Then it should work as well on your side. However, the config you attached is for denying everything except youtube.

Does your ASA is able to resolve youtube.com?

Can you paste output of show access-list Test_access_in ?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

WillCai · ‎12-28-2017

Hi,

I did paste output of show access-list Test_access_in in the last e-mail attachment. I just separate it to a new file. The ASA is able to resolve youtube.com you can see it in the show access-list Test_access_in.

Sincerely,

Will Cai

Francesco Molino · ‎12-28-2017

Ok, let's do it again.

I was saying, can you go back to your first idea where you wanted to allow everything and deny Youtube?

On one of your previous output, I saw your acl denying youtube hitted by a traffic and it should have worked at that time. Don't know which test are you doing to say that it's not working.

In your actual config, your acl is:

access-list Test_access_in extended deny tcp object Test any eq www
access-list Test_access_in extended deny tcp object Test any eq https
access-list Test_access_in extended permit object-group TCPUDP object Test object Youtube eq www
access-list Test_access_in extended permit tcp object Test object Youtube eq https

The permit Youtube won't be hitted because you have deny statement before that rule that's denying all www and https traffic. Can you mode it at the top to be sure that Youtube will be allowed and others denied?

It should work because when you do sh access-list, we see that ASA is resolving the hostname www.youtube.com

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

WillCai · ‎12-29-2017

Hi Francesco,

I need to block all the website and open only one website for our customer. Therefore, I can not go back to my first idea. I did try to move the youtube.com rule to the top at the access-list, however, it still can not access the youtube.com. The attachment is the sh access-list.

Thanks,

Will Cai

Francesco Molino · ‎12-29-2017

How you're testing youtube access?

What is IP of your laptop?

There is no way that the rule is not hit by any traffic.

Maybe we can do a webex session but not before January :-) sorry.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

WillCai · ‎12-29-2017

Hi Francesco,

The easy way to test is use the computer connect to Test LAN network and open the brows to browsing www.youtube.com. The test computer IP is 10.1.10.63.However, It still not successful to access to youtube.com. All right, We will keep contact, and Happy New Year. Thanks.

Will Cai

Francesco Molino · ‎12-29-2017

Go on asa and do the following command:
packet-tracer input inside tcp 10.1.10.63 12345 fqdn www.youtube.com 80

And do the same command but replace 80 by 443.

Paste the output of both commands in a text file please.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

shelfdrilling.it · ‎12-20-2017

Are you sure that your are trying http://youtube.com not https://youtube.com.

MFP won't be able to detect https header cause they are encrypted.