URL Blocking on ASA5505 w/o 3rd Party Services

Answered Question
Feb 22nd, 2010

Hi,

I would like to block all URLs on the Outside Network for a specific  inside host. Furthermore I would like to exclude a few outside URLs from  the general " all URLs blocked" which shall be accessible by the  specific host.

Is it possible with an ASA Box. To make it clear again: a specific  inside Host should only be allowed to access external URLs which are  explicitly allowed in the FW. All other traffic  to the outside world  should be disallowed. All other inside hosts on the Network should not  be affected by this policy.

Is this possible with an ASA 5505? How to accomplish that?

Thx...Andy

I have this problem too.
0 votes
Correct Answer by Panos Kampanakis about 6 years 9 months ago

It would help if you really read and tried to understand the link I sent you. You would be able to do it no problem.

In any case, here it is

regex allowex1 "www\.allowed1\.com"
regex allowex2 "www\.allowed2\.net"

access-list user-acl extended permit tcp host 192.168.1.2 any eq www

class-map type inspect http match-all allow-url-class
match not request header host regex allowex1
match not request header host regex allowex2
class-map allow-user-class
match access-list user-acl

policy-map type inspect http allow-url-policy
parameters
class allow-url-class
  drop-connection
policy-map allow-user-url-policy
class allow-user-class
  inspect http allow-url-policy

service-policy allow-user-url-policy interface inside

Rank useful posts.

PK

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
heinzel0302 Wed, 02/24/2010 - 12:03

Thanks but I still try to figure out how to configure it properly. Maybe you can give me a code example for the following:


Inside Net: 192.168.1.0/24

Host 192.168.1.25 shall only be allowed to 2 webpages: www.allowed1.net (and everything below e.g. www.allowed1.net/page1) & www.allowed2.com The host shall not be able to access anything else on the internet.

All other Hosts in the Inside Net shall be able to access any webpage on the internet.


Can you give me a code example for this.

That would be great!

Thx...Andy

Correct Answer
Panos Kampanakis Wed, 02/24/2010 - 13:05

It would help if you really read and tried to understand the link I sent you. You would be able to do it no problem.

In any case, here it is

regex allowex1 "www\.allowed1\.com"
regex allowex2 "www\.allowed2\.net"

access-list user-acl extended permit tcp host 192.168.1.2 any eq www

class-map type inspect http match-all allow-url-class
match not request header host regex allowex1
match not request header host regex allowex2
class-map allow-user-class
match access-list user-acl

policy-map type inspect http allow-url-policy
parameters
class allow-url-class
  drop-connection
policy-map allow-user-url-policy
class allow-user-class
  inspect http allow-url-policy

service-policy allow-user-url-policy interface inside

Rank useful posts.

PK

heinzel0302 Thu, 02/25/2010 - 12:57

thx for your efforts. It works and I think I now know how it works.

best..Andy

Actions

This Discussion