Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
687
Views
5
Helpful
6
Replies

URL Filtering on ASA

Go to solution
johnlloyd_13
Level 9
Level 9

‎05-23-2016 05:40 AM - edited ‎03-12-2019 12:47 AM

hi all,

one of our site has an Ipoque DPI device that failed recently (currently on fail-to-wire).

it would take a while for it to be replaced since it's a remote location.

and we don't have the budget to do websense or IPS (FirePower).

i would like to implement URL filtering on the ASA 5525-X while waiting for its RMA.

below is what i did for testing on an ASA 5505.

if i type "thepiratebay.org" the web session is reset, but when i type www.thepiratebay.org, the session goes through.

also while the 3 domains are blocked, ALL domains that is NOT on the blacklist are also being blocked.

i would appreciate if someone could further advise.

regex Facebook “.facebook.com”
regex Youtube “.youtube.com”
regex PirateBay “.thepiratebay.org”
regex Google “.google.com”

access-list inside_mpc extended permit tcp any any eq www
access-list inside_mpc extended permit tcp any any eq https

class-map type regex match-any BlackList
 match regex Facebook
 match regex Youtube
 match regex PirateBay

class-map type regex match-any WhiteList
 match regex Google

class-map type inspect http match-all AllowDomains  
 match request header host regex class WhiteList

class-map type inspect http match-all BlockDomains
 match request header host regex class BlackList

class-map httptraffic
 match access-list inside_mpc

policy-map type inspect http HTTP_POLICY
 parameters
protocol-violation action drop-connection 
 class AllowDomains  
 class BlockDomains
  drop-connection

policy-map inside-policy
 class httptraffic
  inspect http HTTP_POLICY

service-policy inside-policy interface inside

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni
In response to johnlloyd_13

‎05-23-2016 09:28 PM

Last time I did this myself, I used the domain method with DNS inspection.

Example:

regex domain_trademe.co.nz "trademe\.co\.nz"
regex domain_youtube.com "youtube\.com"
regex domain_facebook.com "facebook\.com"

class-map type regex match-any DomainBlockList
 description Blocked Domains
 match regex domain_facebook.com
 match regex domain_trademe.co.nz
 match regex domain_youtube.com

policy-map type inspect dns PM-DNS-inspect
 parameters
  message-length maximum 512
  match domain-name regex class DomainBlockList
  drop-connection log

policy-map global_policy
 class inspection_default
  inspect dns PM-DNS-inspect

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni

‎05-23-2016 08:23 PM

You have to use regular expressions.  And it is worse than that.  If you type "thePiratebay.org" you will also find it works.

You would need to use something more like:

regex PirateBay “.*\.[tT][hH][eE][pP][iI][rR][aA][tT][eE][bB][aA][yY]\.[oO][rT][gG]”

DNS filtering is sometimes much easier.  Just block all DNS lookups for the domain instead.  This has the bonus of stopping all protocols trying to use it.  Note if the machine has already done a DNS lookup it will be cached.  So clear your DNS cache when testing.

Quick example:

regex domain_logmein.com “\.logmein\.com”

class-map type regex match-any DomainBlockList
 description Blocked Domains
 match regex domain_logmein.com
 
policy-map type inspect dns PM-DNS-inspect
 parameters
  message-length maximum 512
  match domain-name regex class DomainBlockList
  drop-connection log
 
policy-map global_policy
 class inspection_default
  inspect dns PM-DNS-inspect

Go to solution
johnlloyd_13
Level 9
Level 9
In response to Philip D'Ath

‎05-23-2016 08:37 PM

hi,

your suggested regex seemed to work but ONLY for blocked domains.

the config still blocks other allowed domains. i can access google but NOT yahoo even though i explicitly added it on the whitelist. below is the update config. 

cisco.com also worked even though it's not on the whitelist. i've also tried random sites, some allowed (i.e. verizon.com) and some were NOT (i.e att.com).

any idea?

regex Facebook “.*\.[fF][aA][cC][eE][bB][oO][oO][kK]\.[cC][oO][mM]”
regex Youtube “.*\.[yY][oO][uU][tT][uU][bB][eE]\.[cC][oO][mM]”
regex PirateBay “.*\.[tT][hH][eE][pP][iI][rR][aA][tT][eE][bB][aA][yY]\.[oO][rR][gG]”
regex Google “.*\.[gG][oO][oO][gG][lL][eE]\.[cC][oO][mM]”
regex Yahoo “.*\.[yY][aA][hH][oO][oO]\.[cC][oO][mM]”

access-list inside_mpc extended permit tcp any any eq www
access-list inside_mpc extended permit tcp any any eq https

class-map type regex match-any BlackList
 match regex Facebook
 match regex Youtube
 match regex PirateBay

class-map type regex match-any WhiteList
 match regex Google
 match regex Yahoo

class-map type inspect http match-any AllowDomains  
 match request uri regex class WhiteList

class-map type inspect http match-any BlockDomains
 match request uri regex class BlackList

class-map httptraffic
 match access-list inside_mpc

policy-map type inspect http HTTP_POLICY
 parameters
protocol-violation action drop-connection  
 class AllowDomains   
 class BlockDomains
  drop-connection

policy-map inside-policy
 class httptraffic
  inspect http HTTP_POLICY

service-policy inside-policy interface inside

0 Helpful

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni
In response to johnlloyd_13

‎05-23-2016 08:42 PM

Why do you need to define AllowDomains?  Why not just have a BlockDomains and allow everything else?

0 Helpful

Go to solution
johnlloyd_13
Level 9
Level 9
In response to Philip D'Ath

‎05-23-2016 09:15 PM

hi,

i've tried that before but it blocks 'some' websites.

i tried it again and still the same. the config below blocks yahoo.com and att.com.

can you help take a look and advise?

regex Facebook “.*\.[fF][aA][cC][eE][bB][oO][oO][kK]\.[cC][oO][mM]”
regex Youtube “.*\.[yY][oO][uU][tT][uU][bB][eE]\.[cC][oO][mM]”
regex PirateBay “.*\.[tT][hH][eE][pP][iI][rR][aA][tT][eE][bB][aA][yY]\.[oO][rR][gG]”

access-list inside_mpc extended permit tcp any any eq www
access-list inside_mpc extended permit tcp any any eq https

class-map type regex match-any BlackList
 match regex Facebook
 match regex Youtube
 match regex PirateBay

class-map type inspect http match-all BlockDomains   <<< ALSO TRIED match-any
 match request header host regex class BlackList   <<< ALSO TRIED match request uri regex class BlackList

class-map httptraffic
 match access-list inside_mpc

policy-map type inspect http HTTP_POLICY
 parameters
protocol-violation action drop-connection   
 class BlockDomains
  drop-connection

policy-map inside-policy
 class httptraffic
  inspect http HTTP_POLICY

service-policy inside-policy interface inside

0 Helpful

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni
In response to johnlloyd_13

‎05-23-2016 09:28 PM

Last time I did this myself, I used the domain method with DNS inspection.

Example:

regex domain_trademe.co.nz "trademe\.co\.nz"
regex domain_youtube.com "youtube\.com"
regex domain_facebook.com "facebook\.com"

class-map type regex match-any DomainBlockList
 description Blocked Domains
 match regex domain_facebook.com
 match regex domain_trademe.co.nz
 match regex domain_youtube.com

policy-map type inspect dns PM-DNS-inspect
 parameters
  message-length maximum 512
  match domain-name regex class DomainBlockList
  drop-connection log

policy-map global_policy
 class inspection_default
  inspect dns PM-DNS-inspect
0 Helpful

Go to solution
johnlloyd_13
Level 9
Level 9
In response to Philip D'Ath

‎05-23-2016 10:17 PM

hi,

thanks! your DNS inspect config works like a charm!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card