12-04-2009 11:23 AM - edited 03-11-2019 09:45 AM
Hi All,
I have a simple question regarding the ASA.
I need to block apps.facebook.com/onthefarm for all users in the company.
I don't want to block facebook, but just this site.
I realize I cannot do this with ACLs, but I've tried to implement Regular Expressions using MPF following the directions on this document:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940c5a.shtml
When I implement the following configuration, all Internet access is blocked!
Configuration:
############################################
access-list global_mpc extended permit tcp any any
regex facebook ''onthefarm''
class-map http-class
match access-list global_mpc
class-map type regex match-any FacebookClass
match regex facebook
policy-map type inspect http Facebook
parameters
protocol-violation action drop-connection
match request uri regex facebook
drop connection log
policy-map global_policy
class_inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
class http-class
inspect http Facebook
service-policy global-policy global
############################################
I thought that this would block only the regular expression ''onthefarm'' when HTTP traffic, but obviously I'm doing something wrong because all Internet traffic gets dropped.
Can somebody point me out in the right direction?
Thank you All!
Federico.
Solved! Go to Solution.
12-11-2009 09:01 AM
Yours was breaking because of
parameters
protocol-violation action drop-connection
PK
12-04-2009 12:50 PM
Federico,
Your solution is here https://supportforums.cisco.com/docs/DOC-1268#Block_specific_urls
I suggest you to use
regex blockex1 "/onthefarm"
regex blockex2 "apps\.facebook\.com"
class-map type inspect http match-all block-url-class
match request uri regex blockex1
match request header host regex blockex2
policy-map type inspect http block-url-policy
parameters
class block-url-class
drop-connection log
policy-map global_policy
class inspection_default
inspect http block-url-policy
service-policy global_policy global
I think yours would work too if you changed it a little:
access-list global_mpc extended permit tcp any any eq 80
regex facebook "onthefarm"
class-map http-class
match access-list global_mpc
class-map type regex match-any FacebookClass
match regex facebook
policy-map type inspect http Facebook
parameters
match request uri regex facebook
drop connection log
policy-map global_policy
class http-class
inspect http Facebook
service-policy global-policy global
I hope it helps.
PK
12-04-2009 01:10 PM
Thank you very much, I am going to try it tonight since I don't want to disrupt the traffic during the day anymore ;-)
Just one last question...
I don't understand from the commands, how do I make sure that all HTTP traffic besides the one specified in the class-map is still permitted? I mean, I don't want to block all HTTP traffic again.
The behavior of the MPF is not like an ACL that there's a deny any any at the end?
Just a clarification from the commands that you gave me, so that I fully understand...
Thank you very much again and I'll let you know if it worked!
Federico.
12-04-2009 01:17 PM
What is sent you will only block the HTTP GET thas match your url. There rest will not match it to do the "drop connection".
If you only want to filter specific hosts use
access-list user-acl extended deny tcp host 192.168.1.2 any eq www
access-list user-acl extended permit tcp any any eq www
class-map type inspect http match-any block-url-class
match request uri regex blockex1
match request header host regex blockex2
class-map block-user-class
match access-list user-acl
policy-map type inspect http block-url-policy
parameters
class block-url-class
drop-connection
policy-map block-user-url-policy
class block-user-class
inspect http block-url-policy
where the user-acl matches only the hosts that you want to be filtered when going to the pages.
The rest will be able to go anywhere.
PK
12-11-2009 06:35 AM
Hi!
It worked great!
That was what I was looking for... I'm going to read more about Regex...
One thing, can you tell me why my first configuration was blocking all Internet traffic?
Thank you for your help!
Federico.
12-11-2009 09:01 AM
Yours was breaking because of
parameters
protocol-violation action drop-connection
PK
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide