1. Home
  2. Cisco Systems
  3. ASA HTTP Inspection & URL filtering

ASA HTTP Inspection & URL filtering

Hi,

I am attempting to implement a basic URL filtering setup - without WebSense as the requirements are pretty static.

Basically I want to allow certain inside host access to only a select list of URL's. This docs show how in a round about fashion:

formatting link
When I apply the below config the hosts with restricted Internet access can't get to the two URL's allowed. I suspect the problem is that my regular expressions don't seem to match as the ASA is seeing (well is logging anyway) http://203.36.59.1/blah.... rather than
formatting link
Example from the log: Sep 14 2007 10:54:01: %ASA-5-304001: 192.168.101.88 Accessed URL

38.96.182.20:/mb/text_group.php?sid=218169&zs=3732385f3930

I would have thought that the unresolved hostname would be logged rather than the IP. Not sure if this is my problem but is the theory at present. Anyone done this before? Turned on DNS on the ASA, still no good.

Parts of the config:

regex YELLOWPAGES "*yellowpages.com.au" regex WHITEPAGES "*whitepages.com.au"

access-list INTERNET-RESTRICTED remark Hosts that have restricted Internet access access-list INTERNET-RESTRICTED extended permit ip host

192.168.101.110 any access-list INTERNET-RESTRICTED remark Head Office LAN has open Internet access access-list INTERNET-RESTRICTED extended deny ip 192.168.101.0 255.255.255.0 any access-list INTERNET-RESTRICTED remark Shops have restricted Internet access access-list INTERNET-RESTRICTED extended permit ip 192.168.0.0 255.255.0.0 any

! class-map type regex match-any RESTRICTED-URL match regex YELLOWPAGES match regex WHITEPAGES class-map type inspect http match-all INTERNET-RESTRICTED-SITES match not request uri regex class RESTRICTED-URL class-map inspection_default match default-inspection-traffic class-map INTERNET-RESTRICTED match access-list INTERNET-RESTRICTED ! ! policy-map type inspect http POLICY-INTERNET-RESTRICTED parameters class INTERNET-RESTRICTED-SITES drop-connection log policy-map type inspect dns migrated_dns_map_1 parameters message-length maximum 2048 policy-map global_policy class inspection_default inspect dns migrated_dns_map_1 inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect pptp inspect rsh inspect rtsp inspect skinny inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp inspect http inspect snmp inspect esmtp policy-map INTERNET-OUTBOUND class INTERNET-RESTRICTED inspect http POLICY-INTERNET-RESTRICTED ! service-policy global_policy global service-policy INTERNET-OUTBOUND interface inside

Reply to
Kent
Loading thread data ...

fashion:

formatting link

than

formatting link

Has anyone out there got something similar to work?

Reply to
Kent

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.