ASA URL filtering without Websense

Unanswered Question
Sep 18th, 2007

Hi,

I am attempting to implement a basic URL filtering setup - without

WebSense as the requirements are pretty static.

Basically I want to allow certain inside host access to only a select

list of URL's. This docs show how in a round about fashion:

http://www.cisco.com/en/US/customer/docs/security/asa/asa72/configuration/guide/inspect.html#wp1479354.

When I apply the below config the hosts with restricted Internet

access can't get to the two URL's allowed. I suspect the problem is

that my regular expressions don't seem to match as the ASA is seeing

(well is logging anyway) http://203.36.59.1/blah.... rather than

http://www.yellowpages.com.au/blah...

Example from the log:

Sep 14 2007 10:54:01: %ASA-5-304001: 192.168.101.88 Accessed URL

38.96.182.20:/mb/text_group.php?sid=218169&zs=3732385f3930

I would have thought that the unresolved hostname would be logged

rather than the IP. Not sure if this is my problem but is the theory

at present. Anyone done this before? Turned on DNS on the ASA, still

no good.

Maybe the Plus license is needed for this feature?

Parts of the config:

regex YELLOWPAGES "*yellowpages.com.au"

regex WHITEPAGES "*whitepages.com.au"

access-list INTERNET-RESTRICTED remark Hosts that have restricted

Internet access

access-list INTERNET-RESTRICTED extended permit ip host

192.168.101.110 any

access-list INTERNET-RESTRICTED remark Head Office LAN has open

Internet access

access-list INTERNET-RESTRICTED extended deny ip 192.168.101.0

255.255.255.0 any

access-list INTERNET-RESTRICTED remark Shops have restricted Internet

access

access-list INTERNET-RESTRICTED extended permit ip 192.168.0.0

255.255.0.0 any

!

class-map type regex match-any RESTRICTED-URL

match regex YELLOWPAGES

match regex WHITEPAGES

class-map type inspect http match-all INTERNET-RESTRICTED-SITES

match not request uri regex class RESTRICTED-URL

class-map inspection_default

match default-inspection-traffic

class-map INTERNET-RESTRICTED

match access-list INTERNET-RESTRICTED

!

!

policy-map type inspect http POLICY-INTERNET-RESTRICTED

parameters

class INTERNET-RESTRICTED-SITES

drop-connection log

policy-map type inspect dns migrated_dns_map_1

parameters

message-length maximum 2048

policy-map global_policy

class inspection_default

inspect dns migrated_dns_map_1

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect pptp

inspect rsh

inspect rtsp

inspect skinny

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect http

inspect snmp

inspect esmtp

policy-map INTERNET-OUTBOUND

class INTERNET-RESTRICTED

inspect http POLICY-INTERNET-RESTRICTED

!

service-policy global_policy global

service-policy INTERNET-OUTBOUND interface inside

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
a.alekseev Tue, 09/18/2007 - 05:00

You must use another class for doing this.

match not request header host regex RESTRICTED-URL

kent.plummer Tue, 09/18/2007 - 18:29

Thanks. This seems to work.

This is not at all mentioned in any of the doco on cisco.com. The command lookup tool doesn't even have anything on the "host" option.

a.alekseev Tue, 09/18/2007 - 20:39

uri never contains host's name.

Use some sniffer for better understanding.

If you find posts helpful rate it

Actions

This Discussion