Help with MPF configuration on ASA

Answered Question
Dec 4th, 2009

Hi All,

I have a simple question regarding the ASA.

I need to block apps.facebook.com/onthefarm for all users in the company.

I don't want to block facebook, but just this site.

I realize I cannot do this with ACLs, but I've tried to implement Regular Expressions using MPF following the directions on this document:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940c5a.shtml

When I implement the following configuration, all Internet access is blocked!

Configuration:

############################################

access-list global_mpc extended permit tcp any any

regex facebook ''onthefarm''

class-map http-class

     match access-list global_mpc

class-map type regex match-any FacebookClass

     match regex facebook

policy-map type inspect http Facebook

     parameters

          protocol-violation action drop-connection

     match request uri regex facebook

          drop connection log

policy-map global_policy

     class_inspection_default

  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect xdmcp
class http-class

     inspect http Facebook

service-policy global-policy global

############################################

I thought that this would block only the regular expression ''onthefarm'' when HTTP traffic, but obviously I'm doing something wrong because all Internet traffic gets dropped.

Can somebody point me out in the right direction?

Thank you All!

Federico.

I have this problem too.
0 votes
Correct Answer by Panos Kampanakis about 7 years 56 min ago

Yours was breaking because of

     parameters

          protocol-violation action drop-connection

PK

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Panos Kampanakis Fri, 12/04/2009 - 12:50

Federico,

Your solution is here https://supportforums.cisco.com/docs/DOC-1268#Block_specific_urls

I suggest you to use


regex blockex1 "/onthefarm"
regex blockex2 "apps\.facebook\.com"

class-map type inspect http match-all block-url-class
match request uri regex blockex1
match request header host regex blockex2

policy-map type inspect http block-url-policy
parameters
class block-url-class
  drop-connection log
policy-map global_policy
class inspection_default
  inspect http block-url-policy

service-policy global_policy global


I think yours would work too if you changed it a little:

access-list global_mpc extended permit tcp any any eq 80

regex facebook "onthefarm"

class-map http-class
     match access-list global_mpc
class-map type regex match-any FacebookClass
     match regex facebook
policy-map type inspect http Facebook
     parameters
     match request uri regex facebook
          drop connection log
policy-map global_policy
class http-class
     inspect http Facebook
service-policy global-policy global

I hope it helps.

PK

Federico Coto F... Fri, 12/04/2009 - 13:10

Thank you very much, I am going to try it tonight since I don't want to disrupt the traffic during the day anymore ;-)

Just one last question...

I don't understand from the commands, how do I make sure that all HTTP traffic besides the one specified in the class-map is still permitted? I mean, I don't want to block all HTTP traffic again.

The behavior of the MPF is not like an ACL that there's a deny any any at the end?

Just a clarification from the commands that you gave me, so that I fully understand...

Thank you very much again and I'll let you know if it worked!

Federico.

Panos Kampanakis Fri, 12/04/2009 - 13:17

What is sent you will only block the HTTP GET thas match your url. There rest will not match it to do the "drop connection".

If you only want to filter specific hosts use

access-list user-acl extended deny tcp host 192.168.1.2 any eq www
access-list user-acl extended permit tcp any any eq www


class-map type inspect http match-any block-url-class
match request uri regex blockex1
match request header host regex blockex2
class-map block-user-class
match access-list user-acl

policy-map type inspect http block-url-policy
parameters
class block-url-class
  drop-connection
policy-map block-user-url-policy
class block-user-class
  inspect http block-url-policy

where the user-acl matches only the hosts that you want to be filtered when going to the pages.

The rest will be able to go anywhere.

PK

Federico Coto F... Fri, 12/11/2009 - 06:35

Hi!

It worked great!

That was what I was looking for... I'm going to read more about Regex...

One thing, can you tell me why my first configuration was blocking all Internet traffic?

Thank you for your help!

Federico.

Correct Answer
Panos Kampanakis Fri, 12/11/2009 - 09:01

Yours was breaking because of

     parameters

          protocol-violation action drop-connection

PK

Actions

This Discussion