regexp end of string in Service Policy Rules

Unanswered Question
Jul 15th, 2010

I'm trying to set up a service policy that allow access to only a few websites, but I'm having trouble using regexp to match URLs.
The problem is that end of string ($) does not work on the ASA.

This expression works fine

ASA# test regex www.google.com \.google\.com
INFO: Regular expression match succeeded.

while this one fail.

ASA# test regex www.google.com \.google\.com$
INFO: Regular expression match failed.


According to this page, $ is not a supported metacharacter.
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/mpf.html#wp1102436

The problem with the first expression is that it will match any string that contains .google.com including, for example, www.google.com.thisisnotreallygoogle.net

I'm not an expert on regexp, is there any way to write the second expression that will work on the ASA or any other way to do the matching?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mirober2 Fri, 07/16/2010 - 07:18

Hi Bjorn,

As you noticed, there is currently no effective way to do this with the ASA's regex matching. You would be better off using a more flexible URL blocking/filtering solution, like the CSC-SSM or Websense/Smartfilter.

As a side note, there is an enhancement bug filed  (CSCsm89915) to add the "end of string" special character, which would let you accomplish this in the future:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsm89915

Hope that helps.

-Mike

Actions

This Discussion

Related Content