Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA URL Filtering with MPF

Hello all,

We have a few VLANs that need to block all web access except for a few approved URLs.  Little diagram never hurt.

URL issue.jpg

Corp users should have full access to everything web.  But the test lab only needs access to just a few 10 or so URLs.  Here is what i have configured:

regex TL_URL1 "*\.google\.com"

regex TL_URL2 "www\.yahoo\.com"

class-map type inspect http match-all ALLOWED_URL_CMAP

match not request header host regex TL_URL1

match not request header host regex TL_URL2

access-list TL_URL_ACL extended permit tcp 192.168.1.0 255.255.255.0 any eq www

access-list TL_URL_ACL extended permit tcp 192.168.2.0 255.255.255.0 any eq www

access-list TL_URL_ACL extended permit tcp 192.168.3.0 255.255.255.0 any eq www

class-map TL_USER_CMAP

match access-list TL_URL_ACL

policy-map type inspect http ALLOWED_URL_PMAP

parameters

  class ALLOWED_URL_CMAP

  drop-connection

policy-map ALLOWED_TL_URL_PMAP

class TL_USER_CMAP

  inspect http ALLOWED_URL_PMAP

service-policy ALLOWED_TL_URL_PMAP interface inside

The problem so far is when we apply the map, all web is blocked.  What am i missing?

Thanks for the time and support,

Nick

Everyone's tags (3)
2 REPLIES
New Member

ASA URL Filtering with MPF

If I'm reading your Class-Map correctly:

class-map type inspect http match-all ALLOWED_URL_CMAP

match not request header host regex TL_URL1

match not request header host regex TL_URL2

You are saying, match if the url does NOT match TL_URL1, (2, 3, 4, 5, etc...).  The policy-map then states the traffic that matches should be dropped, which is all traffic that doesn't match.

I believe you want to set your class-map to "match-any" and your statemanets to "match request header host regex TL_URLx".

New Member

ASA URL Filtering with MPF

Thanks for your reply.  I will try to play with the settings.  But i based my configuration off this like here.

142
Views
0
Helpful
2
Replies
CreatePlease to create content