Deny HTTPS "CONNECT" to ip-base url @ ASA/FWSM

hasmurizal · ‎02-24-2009

Dear All,

we are having problem as end users have a lot of spyware/walware and have illegal proxy install in the lan.

One of the idea is to deny HTTPS or "CONNECT" type http, at the "inside fwsm/asa" to any ip-base url destination. Since the ip-base url are random, maybe regex could help.

please advice us how to do it. thanks.

vikram_anumukonda · ‎02-25-2009

Hi, could you explain what do you mean by an ip-base url ( does it mean users typing in the ip addresses in the browser instead of domain-name's. )

hasmurizal · ‎02-25-2009

Hi Vikram,

yes, that's what i meant. (user's typing ip addresses instead of name addresses)

vikram_anumukonda · ‎02-25-2009

Hi,

you can try this

#####################################

regex ipurl "\.[0-255]\.[0-255]\.[0-255]\.[0-255]"

!

class-map type regex match-any domain-list

match regex ipurl

!

class-map web

match port tcp eq www

!

policy-map type inspect http URL

parameters

match request header host regex class domain-list

drop-connection

!

policy-map global_policy

class web

inspect http URL

!

####################################

but if you are looking to filter https , you will have to go for a external url filtering server.

Hoping this is what you are looking for.

-vikram

hasmurizal · ‎02-25-2009

nice...

~~~~~~~~~~~~~~~~~~~~~

!

class-map web

match port tcp eq www

!

~~~~~~~~~~~~~~~~~~~~~

for this portion, can we replace www with 443 ?

vikram_anumukonda · ‎02-25-2009

it wouldn't work if you replace "www" with "443" because the traffic is encrypted , for this very reason you will have to opt for an external URL filtering server.

I tried it once with 443 and it didn't work. You can give it a shot though.

Vikram

vikram_anumukonda · ‎02-26-2009

the regex in my earlier reply is horribly wrong ,

will post a reply as soon as i have an accurate one

-Vikram

vikram_anumukonda · ‎02-26-2009

Hi,

the below regex will match anything but numbers in the host-header (http://<>/index.html - basically the address typed in by the user )

and the below code would drop the http connection as long as there is no a-z or A-Z in the host-header ( which is basically only numbers in the host-header )

#########################################

regex ipurl "[a-zA-Z]+"

!

class-map type regex match-any domain-list

match regex ipurl

!

class-map web

match port tcp eq www

!

policy-map type inspect http URL

parameters

match not request header host regex class domain-list

drop-connection

!

policy-map global_policy

class web

inspect http URL

!

##########################################

I really hope this is helpful to you.

-Vikram

hasmurizal · ‎02-26-2009

hi.

thanks for the info. appreaciate the help that i received.

anyway, the real problem is due to this software which can bypass content filtering and firewall configuration. http://www.ultrareach.net/

on the content filtering server, we have manage it by applying deny "connect" regex ip addresses url. so i was thinking if there is anyway we can eliminate it on fwsm in case if the lan do not have content filtering servers.

i will check in the near future as i dont have any spare asa for now, and i will responce for any update later. thank you