Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 5505 configuration

I am new for configuring asa I want that my inside user only do browsing on internet and stop downloading any thing

pls give me step by step configuration for this task I am using asa 5505 and a 1800 series router for internet connectivity and 2960 switch for lan and I install asa between them

Everyone's tags (4)
3 REPLIES

ASA 5505 configuration

Hi Bro

Please paste in here your network diagram, that has IP Addresses/Subnetmasks as well? By the way, are you hosting any Web Servers on the LAN, whereby users from the Internet would need to access it? or is this setup similar to a typical Cybercafe, where by all access are from LAN to the Internet?

Warm regards, Ramraj Sivagnanam Sivajanam Technical Specialist/Service Delivery Manager – Managed Service Department
New Member

ASA 5505 configuration

Hello,

This is my first time doing this (url filtering and attempt to block user from downloading) for learning sake and for my future work with firewalls.

No one is an expert in using a product the first time, instead of asking for answers research it yourself first then post a question when you encounter problem in this way you will learn faster and remember quicker. Anyway...here's my configuration which is not perfect but should work......

First if you have no idea how to start read my blog: http://cyruslab.wordpress.com/2012/08/11/asa5505-8-439-quick-start-to-connect-to-your-internet/ to get your internet running first.

I use regular expression to group the file type exe, zip, tar, pdf, as long as in the url it contains this extension no matter which website the connection will be reset.

Create regex by searching for extension that ends with the ones stated above

regex ext-type1 ".*\.([Ee][Xx][Ee]|[Zz][Ii][Pp]|[Tt][Aa][Rr]|[Pp][Dd][Ff])"

Create regex that matches http headers with content-type application/(everything)

regex content-type "Content-Type"

!There are a lot of application such as application/pdf blah blah blah...the * is a wildcard that matches all.

regex app-header "application/.*"

Create class-map to group ext-types

class-map type regex match-any block-ext

match regex ext-type1

Actually you do not need to create a class-map for this, but using nested class-maps make your configuration more scalable (I say nested because this class-map will be used again within another class-map), next time if you need to add more extensions simply create another regex and match it within block-ext class-maps and your changes would take effect immediately with your new sets of extensions.

Create class-map to group http headers

class-map type inspect http match-all app-header-class

match response header regex content-type regex app-header

When inside host surf the web and request for to download app that matches application/* the response will be captured by the ASA. This configuration captures and groups the response.

Create class-map to group http request

class-map type inspect http match-all block-ext-class

match request uri regex class block-ext

Now this is the nested class-map, remember that i created another class-map known as block-ext? This configuration captures your inside host request and group them if it matches block-ext.

Create access-list and class-map to group http traffic only so that policy can be applied to these traffic.

access-list http-group extended permit tcp any any eq www

access-list http-group extended permit tcp any any eq 8080

class-map http-only

match access-list http-group

These are the interesting traffic which the policy be applied to.

Define http inspection policy

policy-map type inspect http http-inspection-policy

parameters

  protocol-violation action drop-connection log

class app-header-class

  drop-connection log

class block-ext-class

  reset log

These configurations are for policy creation, if http packet is malformed it will be drop and log, if matches the response app-header-class connection is dropped, if matches the request block-ext-class the connection is reset (i.e. user immediate sees page not found on his/her web browser)

Attached the policy into the interesting traffic


policy-map inside-http-policy

class http-only

  inspect http http-inspection-policy

Now the above policy creation will be applied to the interesting traffic.

Apply the policy into the inside interface

service-policy inside-http-policy interface inside

The above policy is not taken into effect until you applied to an interface.







New Member

ASA 5505 configuration

816
Views
0
Helpful
3
Replies
CreatePlease login to create content