03-10-2009 06:37 AM - edited 03-06-2019 04:30 AM
All,
I don't think this is possible without extra equipment/software, but I wanted to ask.
Is there a way that I can create a time-based ACL and apply that policy-map to the ACL (or vice-versa)?
What I want to do is restrict flash applications between 5 - 7:30PM. I know that I can restrict URLs through a class-map, so I thought I would be able to restrict *.flv and *.swf between that time. Is there a way to do it?
I have either an 871W or an ASA that I can do this on. (The ASA is behind the 871W.)
Thanks,
John
03-10-2009 08:36 AM
My example would be for a router. Not sure if the ASA has the features to do this but if it does this should work with some modification to fit for the ASA.
You would write your ACL that matches ip access-list 100 permit ip any any time-range TIME (specify this range with the time-range command in global config.)
class-map match-all CLASSMAP
this class map would then match the ACL
and it would then match your *.flv using NBAR
policy-map 1
class 1
shape? or police or drop or whatever..
03-10-2009 09:46 AM
Thanks for this Mike! I'm going to try it tonight.
John
03-10-2009 08:48 AM
Hi
The ASA does support time-ranges :
time-range working_hours
periodic weekdays 9:00 to 17:00
access-list limit extended permit ip host x.x.x.x any time-range working_hours
You can also use regexp within a policy-map to search for what you need :-
regex blockex1 ".flv"
regex blockex2 ".swf"
class-map type inspect http match-all block-flv
match request header host regex blockex1
match access-list
class-map type inspect http match-all block-swf
match request header host regex blockex1
match access-list
policy-map type inspect http block-url-policy
parameters
class block-flv
drop-connection log
class block-swf
drop-connection log
policy-map global_policy
class inspection_default
inspect http block-url-policy
service-policy global_policy global
03-11-2009 04:31 AM
Okay, so this didn't work the way that I wanted. The embedded videos still play. In the following example, I tried to block javascript because I noticed that java was loading for a certain game site, but that didn't work either:
Class-map: NO_FLASH (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group 151
Match: protocol http url "*.js"
drop
class-map match-all NO_FLASH
match access-group 151
match protocol http url "*.js"
access-list 151
10 permit ip host 10.20.1.100 any
policy-map OUTBOUND
class ROKU-OUTBOUND
priority percent 25
class NO_FLASH
drop
class class-default
fair-queue 256
int fa4
service-policy output OUTBOUND
I also tried mime type "video/x-flv" and I could still play videos. I also tried to match on .swf, .flv, and .js (exampled above). NBAR doesn't have a type that matches flash, so my thought is because http is allowed out, I may not be able to block it using "normal" methods. The urls are randomnized, so I'd have to block the whole site. The problem with that is I don't know how many sites I need to block, and I wanted to just block the filetypes.
Any other ideas?
Thanks!
John
03-11-2009 04:36 AM
Did you enable nbar on the correct interfaces with the interface level command
ip nbar protocol-discovery
03-11-2009 05:12 AM
Yes, and I forgot to paste that information in. Here's a portion of it attached.
Thanks,
John
03-11-2009 05:14 AM
03-11-2009 06:05 AM
Have you applied the ip nbar command on the interface facing your internal network as well.
Other than that your config looks good, is your ACL correct as well as the time on your router ?
03-11-2009 06:10 AM
Also, edit your regexp to include swf byt adding a |, ie :-
match protocol http url *.js|*.swf
03-11-2009 07:02 AM
If I could get any of these to work alone, then this would definitely be the way to go. Problem is that it doesn't work with either of them.
John
03-11-2009 07:03 AM
What about answers to my earlier post
Have you applied the ip nbar command on the interface facing your internal network as well.
Other than that your config looks good, is your ACL correct as well as the time on your router ?
Maybe try removing the ACL to see if that works ?
03-11-2009 07:08 AM
Oh, I'm sorry I didn't see this one.
Actually, no. I don't think nbar is applied to the internal interface. The time is correct. I'll have to apply it and test it later tonight and I'll let you know.
Thanks Adam!
John
03-11-2009 07:26 AM
That will be your problem then as the inspection can not take place, all should be good once you add NBAR to the internal interface.
03-12-2009 06:35 AM
Okay,
I enabled inspection on the bvi and interface do0 (I was connected wirelessly). It still didn't work.
I changed the class-map to "match protocol http mime video/flv and application/x-shockwave-flash, and a combination of the two (application/x-shockwave-flash|video/flv). This didn't work either.
I also tried the "match protocol http url *.swf|*.flv" to try to match the embedded video. I did forget to try the .js filetype, but the other didn't work.
I removed the match statement to make sure the class-map and policy-map/class/drop statement was working. I couldn't get on the internet at that point, and my policy-map had hits on it. So, I have "class-map match-any NO_FLASH" as my class map, and it definitely works. I also tried changing to "class-map match-all NO_FLASH." The latter will work perfectly once I can figure out why my config isn't working.
Thanks,
John
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide