Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2333
Views
0
Helpful
4
Replies

URL Blocking on ASA5505 w/o 3rd Party Services

Go to solution
heinzel0302
Level 1
Level 1

‎02-22-2010 10:31 AM - edited ‎03-11-2019 10:13 AM

Hi,

I would like to block all URLs on the Outside Network for a specific  inside host. Furthermore I would like to exclude a few outside URLs from  the general " all URLs blocked" which shall be accessible by the  specific host.

Is it possible with an ASA Box. To make it clear again: a specific  inside Host should only be allowed to access external URLs which are  explicitly allowed in the FW. All other traffic  to the outside world  should be disallowed. All other inside hosts on the Network should not  be affected by this policy.

Is this possible with an ASA 5505? How to accomplish that?

Thx...Andy

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Panos Kampanakis
Cisco Employee
Cisco Employee
In response to heinzel0302

‎02-24-2010 01:05 PM

It would help if you really read and tried to understand the link I sent you. You would be able to do it no problem.

In any case, here it is

regex allowex1 "www\.allowed1\.com"
regex allowex2 "www\.allowed2\.net"

access-list user-acl extended permit tcp host 192.168.1.2 any eq www

class-map type inspect http match-all allow-url-class
 match not request header host regex allowex1
 match not request header host regex allowex2
class-map allow-user-class
 match access-list user-acl

policy-map type inspect http allow-url-policy
 parameters
 class allow-url-class
  drop-connection
policy-map allow-user-url-policy
 class allow-user-class
  inspect http allow-url-policy

service-policy allow-user-url-policy interface inside

Rank useful posts.

PK

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Panos Kampanakis
Cisco Employee
Cisco Employee

‎02-22-2010 11:56 AM

This URL explains exactly what you want to do http://supportforums.cisco.com/docs/DOC-1268

I hope it helps.

PK

0 Helpful

Go to solution
heinzel0302
Level 1
Level 1
In response to Panos Kampanakis

‎02-24-2010 12:03 PM

Thanks but I still try to figure out how to configure it properly. Maybe you can give me a code example for the following:


Inside Net: 192.168.1.0/24

Host 192.168.1.25 shall only be allowed to 2 webpages: www.allowed1.net (and everything below e.g. www.allowed1.net/page1) & www.allowed2.com The host shall not be able to access anything else on the internet.

All other Hosts in the Inside Net shall be able to access any webpage on the internet.


Can you give me a code example for this.

That would be great!

Thx...Andy

0 Helpful

Go to solution
Panos Kampanakis
Cisco Employee
Cisco Employee
In response to heinzel0302

‎02-24-2010 01:05 PM

It would help if you really read and tried to understand the link I sent you. You would be able to do it no problem.

In any case, here it is

regex allowex1 "www\.allowed1\.com"
regex allowex2 "www\.allowed2\.net"

access-list user-acl extended permit tcp host 192.168.1.2 any eq www

class-map type inspect http match-all allow-url-class
 match not request header host regex allowex1
 match not request header host regex allowex2
class-map allow-user-class
 match access-list user-acl

policy-map type inspect http allow-url-policy
 parameters
 class allow-url-class
  drop-connection
policy-map allow-user-url-policy
 class allow-user-class
  inspect http allow-url-policy

service-policy allow-user-url-policy interface inside

Rank useful posts.

PK

0 Helpful

Go to solution
heinzel0302
Level 1
Level 1
In response to Panos Kampanakis

‎02-25-2010 12:57 PM

thx for your efforts. It works and I think I now know how it works.

best..Andy

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card