05-23-2016 05:40 AM - edited 03-12-2019 12:47 AM
hi all,
one of our site has an Ipoque DPI device that failed recently (currently on fail-to-wire).
it would take a while for it to be replaced since it's a remote location.
and we don't have the budget to do websense or IPS (FirePower).
i would like to implement URL filtering on the ASA 5525-X while waiting for its RMA.
below is what i did for testing on an ASA 5505.
if i type "thepiratebay.org" the web session is reset, but when i type www.thepiratebay.org, the session goes through.
also while the 3 domains are blocked, ALL domains that is NOT on the blacklist are also being blocked.
i would appreciate if someone could further advise.
regex Facebook “.facebook.com”
regex Youtube “.youtube.com”
regex PirateBay “.thepiratebay.org”
regex Google “.google.com”
access-list inside_mpc extended permit tcp any any eq www
access-list inside_mpc extended permit tcp any any eq https
class-map type regex match-any BlackList
match regex Facebook
match regex Youtube
match regex PirateBay
class-map type regex match-any WhiteList
match regex Google
class-map type inspect http match-all AllowDomains
match request header host regex class WhiteList
class-map type inspect http match-all BlockDomains
match request header host regex class BlackList
class-map httptraffic
match access-list inside_mpc
policy-map type inspect http HTTP_POLICY
parameters
protocol-violation action drop-connection
class AllowDomains
class BlockDomains
drop-connection
policy-map inside-policy
class httptraffic
inspect http HTTP_POLICY
service-policy inside-policy interface inside
Solved! Go to Solution.
05-23-2016 09:28 PM
Last time I did this myself, I used the domain method with DNS inspection.
Example:
regex domain_trademe.co.nz "trademe\.co\.nz"
regex domain_youtube.com "youtube\.com"
regex domain_facebook.com "facebook\.com"
class-map type regex match-any DomainBlockList
description Blocked Domains
match regex domain_facebook.com
match regex domain_trademe.co.nz
match regex domain_youtube.com
policy-map type inspect dns PM-DNS-inspect
parameters
message-length maximum 512
match domain-name regex class DomainBlockList
drop-connection log
policy-map global_policy
class inspection_default
inspect dns PM-DNS-inspect
05-23-2016 08:23 PM
You have to use regular expressions. And it is worse than that. If you type "thePiratebay.org" you will also find it works.
You would need to use something more like:
regex PirateBay “.*\.[tT][hH][eE][pP][iI][rR][aA][tT][eE][bB][aA][yY]\.[oO][rT][gG]”
DNS filtering is sometimes much easier. Just block all DNS lookups for the domain instead. This has the bonus of stopping all protocols trying to use it. Note if the machine has already done a DNS lookup it will be cached. So clear your DNS cache when testing.
Quick example:
regex domain_logmein.com “\.logmein\.com”
class-map type regex match-any DomainBlockList
description Blocked Domains
match regex domain_logmein.com
policy-map type inspect dns PM-DNS-inspect
parameters
message-length maximum 512
match domain-name regex class DomainBlockList
drop-connection log
policy-map global_policy
class inspection_default
inspect dns PM-DNS-inspect
05-23-2016 08:37 PM
hi,
your suggested regex seemed to work but ONLY for blocked domains.
the config still blocks other allowed domains. i can access google but NOT yahoo even though i explicitly added it on the whitelist. below is the update config.
cisco.com also worked even though it's not on the whitelist. i've also tried random sites, some allowed (i.e. verizon.com) and some were NOT (i.e att.com).
any idea?
regex Facebook “.*\.[fF][aA][cC][eE][bB][oO][oO][kK]\.[cC][oO][mM]”
regex Youtube “.*\.[yY][oO][uU][tT][uU][bB][eE]\.[cC][oO][mM]”
regex PirateBay “.*\.[tT][hH][eE][pP][iI][rR][aA][tT][eE][bB][aA][yY]\.[oO][rR][gG]”
regex Google “.*\.[gG][oO][oO][gG][lL][eE]\.[cC][oO][mM]”
regex Yahoo “.*\.[yY][aA][hH][oO][oO]\.[cC][oO][mM]”
access-list inside_mpc extended permit tcp any any eq www
access-list inside_mpc extended permit tcp any any eq https
class-map type regex match-any BlackList
match regex Facebook
match regex Youtube
match regex PirateBay
class-map type regex match-any WhiteList
match regex Google
match regex Yahoo
class-map type inspect http match-any AllowDomains
match request uri regex class WhiteList
class-map type inspect http match-any BlockDomains
match request uri regex class BlackList
class-map httptraffic
match access-list inside_mpc
policy-map type inspect http HTTP_POLICY
parameters
protocol-violation action drop-connection
class AllowDomains
class BlockDomains
drop-connection
policy-map inside-policy
class httptraffic
inspect http HTTP_POLICY
service-policy inside-policy interface inside
05-23-2016 08:42 PM
Why do you need to define AllowDomains? Why not just have a BlockDomains and allow everything else?
05-23-2016 09:15 PM
hi,
i've tried that before but it blocks 'some' websites.
i tried it again and still the same. the config below blocks yahoo.com and att.com.
can you help take a look and advise?
regex Facebook “.*\.[fF][aA][cC][eE][bB][oO][oO][kK]\.[cC][oO][mM]”
regex Youtube “.*\.[yY][oO][uU][tT][uU][bB][eE]\.[cC][oO][mM]”
regex PirateBay “.*\.[tT][hH][eE][pP][iI][rR][aA][tT][eE][bB][aA][yY]\.[oO][rR][gG]”
access-list inside_mpc extended permit tcp any any eq www
access-list inside_mpc extended permit tcp any any eq https
class-map type regex match-any BlackList
match regex Facebook
match regex Youtube
match regex PirateBay
class-map type inspect http match-all BlockDomains <<< ALSO TRIED match-any
match request header host regex class BlackList <<< ALSO TRIED match request uri regex class BlackList
class-map httptraffic
match access-list inside_mpc
policy-map type inspect http HTTP_POLICY
parameters
protocol-violation action drop-connection
class BlockDomains
drop-connection
policy-map inside-policy
class httptraffic
inspect http HTTP_POLICY
service-policy inside-policy interface inside
05-23-2016 09:28 PM
Last time I did this myself, I used the domain method with DNS inspection.
Example:
regex domain_trademe.co.nz "trademe\.co\.nz"
regex domain_youtube.com "youtube\.com"
regex domain_facebook.com "facebook\.com"
class-map type regex match-any DomainBlockList
description Blocked Domains
match regex domain_facebook.com
match regex domain_trademe.co.nz
match regex domain_youtube.com
policy-map type inspect dns PM-DNS-inspect
parameters
message-length maximum 512
match domain-name regex class DomainBlockList
drop-connection log
policy-map global_policy
class inspection_default
inspect dns PM-DNS-inspect
05-23-2016 10:17 PM
hi,
thanks! your DNS inspect config works like a charm!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: