[c-nsp] Cisco asa5550 url filter
Ramcharan, Vijay A
vijay.ramcharan at verizonbusiness.com
Fri Mar 19 10:41:23 EDT 2010
I suggest running the scenario through Dynamips and PEMU for test
purposes so you don't affect production traffic.
AFAIK, the configuration unfortunately doesn't really get simpler than
what the URL provided.
Out of the box URL filtering requires RegEx and an MPF configuration.
Regarding a question on possible action only being "block/reset/ log".
That is true. However, you can use a negative condition to "permit" what
you want with "match not" in your http inspection class-map.
While I have not specifically used MPF for http blocking, I have used it
for FTP. The example below is an example of only permitting a certain
filename to be retrieved via FTP while denying everything else.
Yes I'm aware that it's an FTP example, but the same basic logic
should/would apply for any other type of traffic which can be inspected.
regex SymPtrn2 "minitri\.flg"
class-map type regex match-any cls-symantec-files
match regex SymPtrn2
class-map type inspect ftp match-all cls-deny-ftp
match not filename regex class cls-symantec-files
class-map ftp-traffic
match port tcp eq ftp
policy-map type inspect ftp checkftp
parameters
class cls-deny-ftp
reset log
policy-map mondmz-policy
class ftp-traffic
inspect ftp strict checkftp
service-policy mondmz-policy interface mondmz
Vijay Ramcharan
From: Bunny Singh [mailto:jump2fly82 at yahoo.com]
Sent: Friday, March 19, 2010 9:55 AM
To: cisco-nsp at puck.nether.net; Ramcharan, Vijay A
Subject: Re: [c-nsp] Cisco asa5550 url filter
Hi Vijay,
Thanks for the reply,
I have checked and try to do but facing issue as the example given is
too complicated and its difficult to do the test on the production
Environment,
Can you share a example to allowing the access for a single site.
I am very thankfull to you.
Regards
Bunny
--- On Fri, 3/19/10, Ramcharan, Vijay A
<vijay.ramcharan at verizonbusiness.com> wrote:
From: Ramcharan, Vijay A <vijay.ramcharan at verizonbusiness.com>
Subject: Re: [c-nsp] Cisco asa5550 url filter
To: cisco-nsp at puck.nether.net
Date: Friday, March 19, 2010, 1:24 PM
Try Google or Bing with search string "asa inspect http regex"
The example given below is for blocking certain websites but you
should be able to come up with a configuration that only allows certain
sites and block everything else.
http://www.cisco.com/en/US/products/ps6120/products_configuration_exampl
e09186a0080940e04.shtml
Vijay Ramcharan
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
<http://us.mc450.mail.yahoo.com/mc/compose?to=cisco-nsp-bounces@puck.net
her.net> [mailto:cisco-nsp-bounces at puck.nether.net
<http://us.mc450.mail.yahoo.com/mc/compose?to=cisco-nsp-bounces@puck.net
her.net> ] On Behalf Of Bunny Singh
Sent: Friday, March 19, 2010 7:39 AM
To: cisco-nsp at puck.nether.net
<http://us.mc450.mail.yahoo.com/mc/compose?to=cisco-nsp@puck.nether.net>
Subject: [c-nsp] Cisco asa5550 url filter
Hi,
We are using Cisco asa5550, and i want to put a url based
acl/filteration for the particular client.
We have one client on inside interface who needs the access of
www.youtube.com only(outside interface) and to restrict the same we are
not able to restrict through IP acl's as Youtube ip's are changing
periodically.
So is it any way to put a http url filter to open only a single
desired site and else will be denied.
Regards
DJ Singh
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
<http://us.mc450.mail.yahoo.com/mc/compose?to=cisco-nsp@puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
<http://us.mc450.mail.yahoo.com/mc/compose?to=cisco-nsp@puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
______________________________________________________________________
This e-mail has been scanned by Verizon Managed Email Content Service,
using Skeptic(tm) technology powered by MessageLabs. For more
information on Verizon Managed Email Content Service, visit
http://www.verizonbusiness.com.
______________________________________________________________________
More information about the cisco-nsp
mailing list