ASA URL filtering without Websense

Unanswered Question
Sep 18th, 2007
User Badges:


I am attempting to implement a basic URL filtering setup - without

WebSense as the requirements are pretty static.

Basically I want to allow certain inside host access to only a select

list of URL's. This docs show how in a round about fashion:

When I apply the below config the hosts with restricted Internet

access can't get to the two URL's allowed. I suspect the problem is

that my regular expressions don't seem to match as the ASA is seeing

(well is logging anyway) rather than

Example from the log:

Sep 14 2007 10:54:01: %ASA-5-304001: Accessed URL

I would have thought that the unresolved hostname would be logged

rather than the IP. Not sure if this is my problem but is the theory

at present. Anyone done this before? Turned on DNS on the ASA, still

no good.

Maybe the Plus license is needed for this feature?

Parts of the config:


regex WHITEPAGES "*"

access-list INTERNET-RESTRICTED remark Hosts that have restricted

Internet access

access-list INTERNET-RESTRICTED extended permit ip host any

access-list INTERNET-RESTRICTED remark Head Office LAN has open

Internet access

access-list INTERNET-RESTRICTED extended deny ip any

access-list INTERNET-RESTRICTED remark Shops have restricted Internet


access-list INTERNET-RESTRICTED extended permit ip any


class-map type regex match-any RESTRICTED-URL

match regex YELLOWPAGES

match regex WHITEPAGES

class-map type inspect http match-all INTERNET-RESTRICTED-SITES

match not request uri regex class RESTRICTED-URL

class-map inspection_default

match default-inspection-traffic


match access-list INTERNET-RESTRICTED



policy-map type inspect http POLICY-INTERNET-RESTRICTED



drop-connection log

policy-map type inspect dns migrated_dns_map_1


message-length maximum 2048

policy-map global_policy

class inspection_default

inspect dns migrated_dns_map_1

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect pptp

inspect rsh

inspect rtsp

inspect skinny

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect http

inspect snmp

inspect esmtp





service-policy global_policy global

service-policy INTERNET-OUTBOUND interface inside

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
a.alekseev Tue, 09/18/2007 - 05:00
User Badges:
  • Gold, 750 points or more

You must use another class for doing this.

match not request header host regex RESTRICTED-URL

kent.plummer Tue, 09/18/2007 - 18:29
User Badges:

Thanks. This seems to work.

This is not at all mentioned in any of the doco on The command lookup tool doesn't even have anything on the "host" option.

a.alekseev Tue, 09/18/2007 - 20:39
User Badges:
  • Gold, 750 points or more

uri never contains host's name.

Use some sniffer for better understanding.

If you find posts helpful rate it


This Discussion