Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1748
Views
0
Helpful
5
Replies

Help with MPF configuration on ASA

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎12-04-2009 11:23 AM - edited ‎03-11-2019 09:45 AM

Hi All,

I have a simple question regarding the ASA.

I need to block apps.facebook.com/onthefarm for all users in the company.

I don't want to block facebook, but just this site.

I realize I cannot do this with ACLs, but I've tried to implement Regular Expressions using MPF following the directions on this document:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940c5a.shtml

When I implement the following configuration, all Internet access is blocked!

Configuration:

############################################

access-list global_mpc extended permit tcp any any

regex facebook ''onthefarm''

class-map http-class

     match access-list global_mpc

class-map type regex match-any FacebookClass

     match regex facebook

policy-map type inspect http Facebook

     parameters

          protocol-violation action drop-connection

     match request uri regex facebook

          drop connection log

policy-map global_policy

     class_inspection_default

  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect xdmcp
class http-class

     inspect http Facebook

service-policy global-policy global

############################################

I thought that this would block only the regular expression ''onthefarm'' when HTTP traffic, but obviously I'm doing something wrong because all Internet traffic gets dropped.

Can somebody point me out in the right direction?

Thank you All!

Federico.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Panos Kampanakis
Cisco Employee
Cisco Employee
In response to Federico Coto Fajardo

‎12-11-2009 09:01 AM

Yours was breaking because of

     parameters

          protocol-violation action drop-connection

PK

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Panos Kampanakis
Cisco Employee
Cisco Employee

‎12-04-2009 12:50 PM

Federico,

Your solution is here https://supportforums.cisco.com/docs/DOC-1268#Block_specific_urls

I suggest you to use


regex blockex1 "/onthefarm"
regex blockex2 "apps\.facebook\.com"

class-map type inspect http match-all block-url-class
match request uri regex blockex1
match request header host regex blockex2

policy-map type inspect http block-url-policy
parameters
class block-url-class
  drop-connection log
policy-map global_policy
class inspection_default
  inspect http block-url-policy

service-policy global_policy global


I think yours would work too if you changed it a little:

access-list global_mpc extended permit tcp any any eq 80

regex facebook "onthefarm"

class-map http-class
     match access-list global_mpc
class-map type regex match-any FacebookClass
     match regex facebook
policy-map type inspect http Facebook
     parameters
     match request uri regex facebook
          drop connection log
policy-map global_policy
class http-class
     inspect http Facebook
service-policy global-policy global

I hope it helps.

PK

0 Helpful

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to Panos Kampanakis

‎12-04-2009 01:10 PM

Thank you very much, I am going to try it tonight since I don't want to disrupt the traffic during the day anymore ;-)

Just one last question...

I don't understand from the commands, how do I make sure that all HTTP traffic besides the one specified in the class-map is still permitted? I mean, I don't want to block all HTTP traffic again.

The behavior of the MPF is not like an ACL that there's a deny any any at the end?

Just a clarification from the commands that you gave me, so that I fully understand...

Thank you very much again and I'll let you know if it worked!

Federico.

0 Helpful

Go to solution
Panos Kampanakis
Cisco Employee
Cisco Employee
In response to Federico Coto Fajardo

‎12-04-2009 01:17 PM

What is sent you will only block the HTTP GET thas match your url. There rest will not match it to do the "drop connection".

If you only want to filter specific hosts use

access-list user-acl extended deny tcp host 192.168.1.2 any eq www
access-list user-acl extended permit tcp any any eq www


class-map type inspect http match-any block-url-class
 match request uri regex blockex1
 match request header host regex blockex2
class-map block-user-class
 match access-list user-acl

policy-map type inspect http block-url-policy
 parameters
 class block-url-class
  drop-connection
policy-map block-user-url-policy
 class block-user-class
  inspect http block-url-policy

where the user-acl matches only the hosts that you want to be filtered when going to the pages.

The rest will be able to go anywhere.

PK

0 Helpful

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to Panos Kampanakis

‎12-11-2009 06:35 AM

Hi!

It worked great!

That was what I was looking for... I'm going to read more about Regex...

One thing, can you tell me why my first configuration was blocking all Internet traffic?

Thank you for your help!

Federico.

0 Helpful

Go to solution
Panos Kampanakis
Cisco Employee
Cisco Employee
In response to Federico Coto Fajardo

‎12-11-2009 09:01 AM

Yours was breaking because of

     parameters

          protocol-violation action drop-connection

PK

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card