Hi,
I am attempting to implement a basic URL filtering setup - without WebSense as the requirements are pretty static.
Basically I want to allow certain inside host access to only a select list of URL's. This docs show how in a round about fashion:
I would have thought that the unresolved hostname would be logged rather than the IP. Not sure if this is my problem but is the theory at present. Anyone done this before? Turned on DNS on the ASA, still no good.
Parts of the config:
regex YELLOWPAGES "*yellowpages.com.au" regex WHITEPAGES "*whitepages.com.au"
access-list INTERNET-RESTRICTED remark Hosts that have restricted Internet access access-list INTERNET-RESTRICTED extended permit ip host
192.168.101.110 any access-list INTERNET-RESTRICTED remark Head Office LAN has open Internet access access-list INTERNET-RESTRICTED extended deny ip 192.168.101.0 255.255.255.0 any access-list INTERNET-RESTRICTED remark Shops have restricted Internet access access-list INTERNET-RESTRICTED extended permit ip 192.168.0.0 255.255.0.0 any! class-map type regex match-any RESTRICTED-URL match regex YELLOWPAGES match regex WHITEPAGES class-map type inspect http match-all INTERNET-RESTRICTED-SITES match not request uri regex class RESTRICTED-URL class-map inspection_default match default-inspection-traffic class-map INTERNET-RESTRICTED match access-list INTERNET-RESTRICTED ! ! policy-map type inspect http POLICY-INTERNET-RESTRICTED parameters class INTERNET-RESTRICTED-SITES drop-connection log policy-map type inspect dns migrated_dns_map_1 parameters message-length maximum 2048 policy-map global_policy class inspection_default inspect dns migrated_dns_map_1 inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect pptp inspect rsh inspect rtsp inspect skinny inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp inspect http inspect snmp inspect esmtp policy-map INTERNET-OUTBOUND class INTERNET-RESTRICTED inspect http POLICY-INTERNET-RESTRICTED ! service-policy global_policy global service-policy INTERNET-OUTBOUND interface inside