Solved: How to block http://X.X.X.X/login.aspx from being accessed by internet?

Network Administrator · ‎02-16-2010

Hi,

I have ASA 5510 (8.0.2), ASDM 6.1 and ASA-SSM-10 6.1. We have a web site located at DMZ with a Public IP address. It is accessible from Internet via the public IP address. While keeping web site access enabled, I need to block access to http://X.X.X.X/Login.aspx from Public IP addresses,ie, Internet. We still need to access to this link from inside.

1. I tried to create regular expressions with \x.x.x.x AND \X.X.X.\login.aspx

2. I created a regular expression class and allocated these two expressions to the class.

3. Then I created an http class map with Criterion "Request URI" and the Value Regular Expression Class that I have created above (2) for http inspection policy.

4. Then I created an HTTP Inspect map and added inspection for the http class map that I have created(3) with the action "Reset" and log "Enable".

5. Then I added a new service policy to outside interface.

6. Match criteria "source and Destination IP..."

7. Source : Any, Destination : X.X.X.X, service: tcp/http and enabled rule

8. At Protocol inspection, checked "HTTP" and clicked on Configuration

9. "Select a HTTP inspect map for the fine control..." and choose the inspection policy created above (3)

Unfortunately, aftyer this config change, we were still able to access to http://X.X.X.X/Login.aspx from bopth inside and outside.

Thanks in advance for any suggestions...

Semih

Kureli Sankar · ‎02-16-2010

check this link out:

https://supportforums.cisco.com/docs/DOC-1268#Block_specific_urls

Is this what you configured and it does not work?

-KS

View solution in original post

Kureli Sankar · ‎02-16-2010

check this link out:

https://supportforums.cisco.com/docs/DOC-1268#Block_specific_urls

Is this what you configured and it does not work?

-KS

Network Administrator · ‎02-16-2010

Hi Kusankar,

Yes, I followed that link's instructions for "Block spefific uris". But with the following changes:

1. I used case insensitive regular expressions to cover login or login.aspx:

regex login2 "/[Ll][Oo][Gg][Ii][Nn].[Aa][Ss][Pp][Xx]"
regex login "/[Ll][Oo][Gg][Ii][Nn]"

2. I did not apply it to Global policy. Since I wanted to block only incoming requests from outside to our dmz, I applied it to outside interface and outside policy.

Now I can not even access to http:/X.X.X.X web site from outside.

Thanks

Semih

Network Administrator · ‎02-16-2010

Hi Kusankar,

Just an update, it reached to http://X.X.X.X but extremely slow. It takes around 5 minutes to load the web site. It also blocks login.aspx. But if I remove the inspection, it loads in 10 seconds.

Thanks

Semih

Kureli Sankar · ‎02-16-2010

Do you also have a CSC module?

Any errors on the interfaces? sh int | i errors

adding http inspection required packets to arrive in order on the ASA. If you recieve large amount of out of order packets then this is going to add latency.

-KS

Network Administrator · ‎02-16-2010

Hi Kusankar,

No, we do not have CSC.

Actually, after I removed the second regular expression and left only login2 (login.aspx), it started working. Now, we can access to the web site at normal time and noone can access to http://X.X.X.X/login.aspx . There is one thing though, when people tries to access http://X.X.X.X/login.aspx the pc waits for 5-10 minutes before it fails to connect. Is there any way to decrease the time?

Thanks

Semih

Panos Kampanakis · ‎02-17-2010

You can change the action from "drop-connection" to reset. Then the browser will know right away that he was denied.

I hope it helps.

PK

Network Administrator · ‎02-17-2010

Thanks everone for the help.

I have already used Kusankar's link for this. But it started working only after I used one parameter rather than 2.

For the delay in rejecting the access, I changed the action to reset rather than drop connection as recomended by pkampana; it did not do any changes. Currently, web site is accessible and /login.aspx is blocked. Therefore I will leave it as is for now.

Thanks again...

Semih