Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA 5505 URL Filtering using URL Filtering Server

Hi Experts ,

I have come across articles mentioning that URL  Filtering can be implemented by using ASA 5505 with URL Filtering  Servers. But Websense and other Web Filtering Servers are paid ones ?  Are there any free solutions available ? What exactly is N2H2 ? The  reason is I don 't want to increase the CPU utilization of ASA by  implementing URL filtering within the device. If I have around 30 nodes  which connects to the internet via a 2Mbps line through ASA 5505 and if I  want to block around say 10 or 15 URLs , will it increase CU  utilization beyond permissible limits ? Currently the CPU Utilization is  around 10 - 15 . Here's the infrastructure setup . Please help

------------------------------------------------------------

Nodes -->Switches-->ASA 5505-->Internet

-------------------------------------------------------------

Many Thanks ,

Anup

Regards, Anup Don't forget to rate if you found this helpful !
1 ACCEPTED SOLUTION

Accepted Solutions
New Member

ASA 5505 URL Filtering using URL Filtering Server

Hi Anup,

A simple test can be perform to filter URL via the ASA configuration only. You can try for a short period in order to see the increase CPU's utilization, if it's too much then you can remove your modification.

Below a simple description of the configuration you can impletment.

Vincent

1. Implementing White list

! defining the URL to filter

regex UBI-URL1 "yahoo.com"

regex UBI-URL2 "ubiqube.com"

! grouping url in one object

class-map type regex match-any UBI-URL-LIST 

match regex UBI-URL1

match regex UBI-URL2

! specified the matching traffic to block

class-map type inspect http match-all UBI-HTTP-MAP

   match no request header host regex class UBI-URL-LIST 

! declare action to matching traffic

policy-map type inspect http UBI-HTTP-INSPECT

class UBI-HTTP-MAP

   reset log

!applying the inspection

policy-map global_policy

  class inspection_default

   inspect http UBI-HTTP-INSPECT

OR

2. Implementing black list

  ! defining the URL to filter

regex UBI-URL1 "yahoo.com"

regex UBI-URL2 "ubiqube.com"

! grouping url in one object

class-map type regex match-any UBI-URL-LIST 

match regex UBI-URL1

match regex UBI-URL2

! specified the matching traffic to block

class-map type inspect http match-all UBI-HTTP-MAP

   match request header host regex class UBI-URL-LIST 

! declare action to matching traffic

policy-map type inspect http UBI-HTTP-INSPECT

class UBI-HTTP-MAP

  reset log

!applying the inspection

policy-map global_policy

  class inspection_default

   inspect http UBI-HTTP-INSPECT

3. Monitore  the result via the logs

URL accessed

07-10-10 08:16:27 5 %ASA-5-304001: 10.10.10.10 Accessed URL 213.30.157.8:/page.php?2

URL Blocked

07-10-10 08:16:52 5 %ASA-5-415008: HTTP - matched Class 22: UBI-HTTP-MAP in policy-map UBI-HTTP-inspect, header matched - Resetting connection from inside:10.10.10.10/1423 to outside: 209.85.135.103/80

4 REPLIES

Re: ASA 5505 URL Filtering using URL Filtering Server

Hi Anup,

Iam not an expert in this, but try to fill in some info for you. N2H2 is Cisco IOS supported URL filtering s/w which sits on seperate server like websense. Websense work with ASAs. Iam not quite sure if N2H2 works with ASA. Please check the below link..

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t15/feature/guide/ft_n2h2.html

As far as free s/w for URL filtering - you may be able to find couple (google for the same) but personally, I never rely on the free stuff when comes to firm security.

hth

MS

EDIT: Just read in another posting that both Websense & N2H2 are supported.

New Member

ASA 5505 URL Filtering using URL Filtering Server

Hi MS ,

Thank you very much for the information . I think I would better go for a configuring URL Filtering iniside the ASA itself ( Sure keeping an eye on the CPU Utilization ! ) or paid URL Filtering Server like Websense or McAfee Smartfilter (http://www.mcafee.com/us/products/smartfilter.aspx) considering firm security .

I also came across another discussion regarding the same where it says you PROBABLY can get the same by configuring a Squid proxy with Cisco Router via WCCP. ( https://supportforums.cisco.com/thread/224575)

Many Thanks,

Anup

Regards, Anup Don't forget to rate if you found this helpful !
New Member

ASA 5505 URL Filtering using URL Filtering Server

Hi Anup,

A simple test can be perform to filter URL via the ASA configuration only. You can try for a short period in order to see the increase CPU's utilization, if it's too much then you can remove your modification.

Below a simple description of the configuration you can impletment.

Vincent

1. Implementing White list

! defining the URL to filter

regex UBI-URL1 "yahoo.com"

regex UBI-URL2 "ubiqube.com"

! grouping url in one object

class-map type regex match-any UBI-URL-LIST 

match regex UBI-URL1

match regex UBI-URL2

! specified the matching traffic to block

class-map type inspect http match-all UBI-HTTP-MAP

   match no request header host regex class UBI-URL-LIST 

! declare action to matching traffic

policy-map type inspect http UBI-HTTP-INSPECT

class UBI-HTTP-MAP

   reset log

!applying the inspection

policy-map global_policy

  class inspection_default

   inspect http UBI-HTTP-INSPECT

OR

2. Implementing black list

  ! defining the URL to filter

regex UBI-URL1 "yahoo.com"

regex UBI-URL2 "ubiqube.com"

! grouping url in one object

class-map type regex match-any UBI-URL-LIST 

match regex UBI-URL1

match regex UBI-URL2

! specified the matching traffic to block

class-map type inspect http match-all UBI-HTTP-MAP

   match request header host regex class UBI-URL-LIST 

! declare action to matching traffic

policy-map type inspect http UBI-HTTP-INSPECT

class UBI-HTTP-MAP

  reset log

!applying the inspection

policy-map global_policy

  class inspection_default

   inspect http UBI-HTTP-INSPECT

3. Monitore  the result via the logs

URL accessed

07-10-10 08:16:27 5 %ASA-5-304001: 10.10.10.10 Accessed URL 213.30.157.8:/page.php?2

URL Blocked

07-10-10 08:16:52 5 %ASA-5-415008: HTTP - matched Class 22: UBI-HTTP-MAP in policy-map UBI-HTTP-inspect, header matched - Resetting connection from inside:10.10.10.10/1423 to outside: 209.85.135.103/80

New Member

ASA 5505 URL Filtering using URL Filtering Server

Hi Vincent,

Thank you very much for the configuration examples . It was indeed very helpful ! The CPU utilization is a major concern as I have read many posts which mentions since packet inspection is a CPU intensive operation , it can make the CPU utilization go high . But anyway considering the amount of traffic and no . of URLs that needs to be blocked I will do the configuration on the ASA and closely monitor the CPU utilization .

Many Thanks ,

Anup

Regards, Anup Don't forget to rate if you found this helpful !
4616
Views
5
Helpful
4
Replies