[c-nsp] Cisco asa5550 url filter

Sat Mar 20 13:13:39 EDT 2010

Hi, n

Thanks for the information and example, It works after changing few things.

Thanks once again for the help.

Regards
Bunny Singh

--- On Fri, 3/19/10, Ramcharan, Vijay A <vijay.ramcharan at verizonbusiness.com> wrote:

From: Ramcharan, Vijay A <vijay.ramcharan at verizonbusiness.com>
Subject: Re: [c-nsp] Cisco asa5550 url filter
To: cisco-nsp at puck.nether.net
Date: Friday, March 19, 2010, 2:41 PM

I suggest running the scenario through Dynamips and PEMU for test
purposes so you don't affect production traffic. 

AFAIK, the configuration unfortunately doesn't really get simpler than
what the URL provided. 

Out of the box URL filtering requires RegEx and an MPF configuration. 

Regarding a question on possible action only being "block/reset/ log".
That is true. However, you can use a negative condition to "permit" what
you want with "match not" in your http inspection class-map. 

While I have not specifically used MPF for http blocking, I have used it
for FTP. The example below is an example of only permitting a certain
filename to be retrieved via FTP while denying everything else. 

Yes I'm aware that it's an FTP example, but the same basic logic
should/would apply for any other type of traffic which can be inspected.

regex SymPtrn2 "minitri\.flg" 

class-map type regex match-any cls-symantec-files

match regex SymPtrn2

class-map type inspect ftp match-all cls-deny-ftp

match not filename regex class cls-symantec-files

class-map ftp-traffic

match port tcp eq ftp

policy-map type inspect ftp checkftp

parameters

class cls-deny-ftp

  reset log

policy-map mondmz-policy

class ftp-traffic

  inspect ftp strict checkftp

service-policy mondmz-policy interface mondmz 

Vijay Ramcharan 

From: Bunny Singh [mailto:jump2fly82 at yahoo.com] 
Sent: Friday, March 19, 2010 9:55 AM
To: cisco-nsp at puck.nether.net; Ramcharan, Vijay A
Subject: Re: [c-nsp] Cisco asa5550 url filter

Hi Vijay, 

Thanks for the reply,

I have checked and try to do but facing issue as the example given is
too complicated and its difficult to do the test on the production
Environment,

Can you share a example to allowing the access for a single site.

I am very thankfull to you.

Regards

Bunny

--- On Fri, 3/19/10, Ramcharan, Vijay A
<vijay.ramcharan at verizonbusiness.com> wrote:

    From: Ramcharan, Vijay A <vijay.ramcharan at verizonbusiness.com>
    Subject: Re: [c-nsp] Cisco asa5550 url filter
    To: cisco-nsp at puck.nether.net
    Date: Friday, March 19, 2010, 1:24 PM

    Try Google or Bing with search string "asa inspect http regex" 
    The example given below is for blocking certain websites but you
should be able to come up with a configuration that only allows certain
sites and block everything else. 

http://www.cisco.com/en/US/products/ps6120/products_configuration_exampl
e09186a0080940e04.shtml 

    Vijay Ramcharan 

    -----Original Message-----
    From: cisco-nsp-bounces at puck.nether.net
<http://us.mc450.mail.yahoo.com/mc/compose?to=cisco-nsp-bounces@puck.net
her.net>  [mailto:cisco-nsp-bounces at puck.nether.net
<http://us.mc450.mail.yahoo.com/mc/compose?to=cisco-nsp-bounces@puck.net
her.net> ] On Behalf Of Bunny Singh
    Sent: Friday, March 19, 2010 7:39 AM
    To: cisco-nsp at puck.nether.net
<http://us.mc450.mail.yahoo.com/mc/compose?to=cisco-nsp@puck.nether.net>

    Subject: [c-nsp] Cisco asa5550 url filter

    Hi, 

    We are using Cisco asa5550, and i want to put a url based
acl/filteration for the particular client.

    We have one client on inside interface who needs the access of
www.youtube.com only(outside interface) and to restrict the same we are
not able to restrict through IP acl's as Youtube ip's are changing
periodically.

    So is it any way to put a http url filter to open only a single
desired site and else will be denied.

    Regards
    DJ Singh

    _______________________________________________
    cisco-nsp mailing list  cisco-nsp at puck.nether.net
<http://us.mc450.mail.yahoo.com/mc/compose?to=cisco-nsp@puck.nether.net>

    https://puck.nether.net/mailman/listinfo/cisco-nsp
    archive at http://puck.nether.net/pipermail/cisco-nsp/

    _______________________________________________
    cisco-nsp mailing list  cisco-nsp at puck.nether.net
<http://us.mc450.mail.yahoo.com/mc/compose?to=cisco-nsp@puck.nether.net>

    https://puck.nether.net/mailman/listinfo/cisco-nsp
    archive at http://puck.nether.net/pipermail/cisco-nsp/

______________________________________________________________________
This e-mail has been scanned by Verizon Managed Email Content Service,
using Skeptic(tm) technology powered by MessageLabs. For more
information on Verizon Managed Email Content Service, visit
http://www.verizonbusiness.com.
______________________________________________________________________

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/