[c-nsp] Cisco asa5550 url filter

Ramcharan, Vijay A vijay.ramcharan at verizonbusiness.com
Fri Mar 19 10:41:23 EDT 2010


I suggest running the scenario through Dynamips and PEMU for test
purposes so you don't affect production traffic. 

AFAIK, the configuration unfortunately doesn't really get simpler than
what the URL provided. 

Out of the box URL filtering requires RegEx and an MPF configuration. 

 

Regarding a question on possible action only being "block/reset/ log".
That is true. However, you can use a negative condition to "permit" what
you want with "match not" in your http inspection class-map. 

While I have not specifically used MPF for http blocking, I have used it
for FTP. The example below is an example of only permitting a certain
filename to be retrieved via FTP while denying everything else. 

 

Yes I'm aware that it's an FTP example, but the same basic logic
should/would apply for any other type of traffic which can be inspected.


 

regex SymPtrn2 "minitri\.flg" 

 

class-map type regex match-any cls-symantec-files

match regex SymPtrn2

 

class-map type inspect ftp match-all cls-deny-ftp

match not filename regex class cls-symantec-files

 

class-map ftp-traffic

 match port tcp eq ftp

 

policy-map type inspect ftp checkftp

 parameters

 class cls-deny-ftp

  reset log

 

policy-map mondmz-policy

 class ftp-traffic

  inspect ftp strict checkftp

 

service-policy mondmz-policy interface mondmz 

 

 

Vijay Ramcharan 

From: Bunny Singh [mailto:jump2fly82 at yahoo.com] 
Sent: Friday, March 19, 2010 9:55 AM
To: cisco-nsp at puck.nether.net; Ramcharan, Vijay A
Subject: Re: [c-nsp] Cisco asa5550 url filter

 

Hi Vijay, 

 

Thanks for the reply,

 

I have checked and try to do but facing issue as the example given is
too complicated and its difficult to do the test on the production
Environment,

 

 Can you share a example to allowing the access for a single site.

 

I am very thankfull to you.

 

 

Regards

Bunny

--- On Fri, 3/19/10, Ramcharan, Vijay A
<vijay.ramcharan at verizonbusiness.com> wrote:

	
	From: Ramcharan, Vijay A <vijay.ramcharan at verizonbusiness.com>
	Subject: Re: [c-nsp] Cisco asa5550 url filter
	To: cisco-nsp at puck.nether.net
	Date: Friday, March 19, 2010, 1:24 PM

	Try Google or Bing with search string "asa inspect http regex" 
	The example given below is for blocking certain websites but you
should be able to come up with a configuration that only allows certain
sites and block everything else. 
	
http://www.cisco.com/en/US/products/ps6120/products_configuration_exampl
e09186a0080940e04.shtml 
	
	Vijay Ramcharan 
	
	
	-----Original Message-----
	From: cisco-nsp-bounces at puck.nether.net
<http://us.mc450.mail.yahoo.com/mc/compose?to=cisco-nsp-bounces@puck.net
her.net>  [mailto:cisco-nsp-bounces at puck.nether.net
<http://us.mc450.mail.yahoo.com/mc/compose?to=cisco-nsp-bounces@puck.net
her.net> ] On Behalf Of Bunny Singh
	Sent: Friday, March 19, 2010 7:39 AM
	To: cisco-nsp at puck.nether.net
<http://us.mc450.mail.yahoo.com/mc/compose?to=cisco-nsp@puck.nether.net>

	Subject: [c-nsp] Cisco asa5550 url filter
	
	Hi, 
	 
	We are using Cisco asa5550, and i want to put a url based
acl/filteration for the particular client.
	 
	We have one client on inside interface who needs the access of
www.youtube.com only(outside interface) and to restrict the same we are
not able to restrict through IP acl's as Youtube ip's are changing
periodically.
	 
	So is it any way to put a http url filter to open only a single
desired site and else will be denied.
	 
	Regards
	DJ Singh
	
	
	      
	_______________________________________________
	cisco-nsp mailing list  cisco-nsp at puck.nether.net
<http://us.mc450.mail.yahoo.com/mc/compose?to=cisco-nsp@puck.nether.net>

	https://puck.nether.net/mailman/listinfo/cisco-nsp
	archive at http://puck.nether.net/pipermail/cisco-nsp/
	
	_______________________________________________
	cisco-nsp mailing list  cisco-nsp at puck.nether.net
<http://us.mc450.mail.yahoo.com/mc/compose?to=cisco-nsp@puck.nether.net>

	https://puck.nether.net/mailman/listinfo/cisco-nsp
	archive at http://puck.nether.net/pipermail/cisco-nsp/



______________________________________________________________________
This e-mail has been scanned by Verizon Managed Email Content Service,
using Skeptic(tm) technology powered by MessageLabs. For more
information on Verizon Managed Email Content Service, visit
http://www.verizonbusiness.com.
______________________________________________________________________



More information about the cisco-nsp mailing list