Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Deny HTTPS "CONNECT" to ip-base url @ ASA/FWSM

Dear All,

we are having problem as end users have a lot of spyware/walware and have illegal proxy install in the lan.

One of the idea is to deny HTTPS or "CONNECT" type http, at the "inside fwsm/asa" to any ip-base url destination. Since the ip-base url are random, maybe regex could help.

please advice us how to do it. thanks.

8 REPLIES

Re: Deny HTTPS "CONNECT" to ip-base url @ ASA/FWSM

Hi, could you explain what do you mean by an ip-base url ( does it mean users typing in the ip addresses in the browser instead of domain-name's. )

New Member

Re: Deny HTTPS "CONNECT" to ip-base url @ ASA/FWSM

Hi Vikram,

yes, that's what i meant. (user's typing ip addresses instead of name addresses)

Re: Deny HTTPS "CONNECT" to ip-base url @ ASA/FWSM

Hi,

you can try this

#####################################

regex ipurl "\.[0-255]\.[0-255]\.[0-255]\.[0-255]"

!

class-map type regex match-any domain-list

match regex ipurl

!

class-map web

match port tcp eq www

!

policy-map type inspect http URL

parameters

match request header host regex class domain-list

drop-connection

!

policy-map global_policy

class web

inspect http URL

!

####################################

but if you are looking to filter https , you will have to go for a external url filtering server.

Hoping this is what you are looking for.

-vikram

New Member

Re: Deny HTTPS "CONNECT" to ip-base url @ ASA/FWSM

nice...

~~~~~~~~~~~~~~~~~~~~~

!

class-map web

match port tcp eq www

!

~~~~~~~~~~~~~~~~~~~~~

for this portion, can we replace www with 443 ?

Re: Deny HTTPS "CONNECT" to ip-base url @ ASA/FWSM

it wouldn't work if you replace "www" with "443" because the traffic is encrypted , for this very reason you will have to opt for an external URL filtering server.

I tried it once with 443 and it didn't work. You can give it a shot though.

Vikram

Re: Deny HTTPS "CONNECT" to ip-base url @ ASA/FWSM

the regex in my earlier reply is horribly wrong ,

will post a reply as soon as i have an accurate one

-Vikram

Re: Deny HTTPS "CONNECT" to ip-base url @ ASA/FWSM

Hi,

the below regex will match anything but numbers in the host-header (http://<>/index.html - basically the address typed in by the user )

and the below code would drop the http connection as long as there is no a-z or A-Z in the host-header ( which is basically only numbers in the host-header )

#########################################

regex ipurl "[a-zA-Z]+"

!

class-map type regex match-any domain-list

match regex ipurl

!

class-map web

match port tcp eq www

!

policy-map type inspect http URL

parameters

match not request header host regex class domain-list

drop-connection

!

policy-map global_policy

class web

inspect http URL

!

##########################################

I really hope this is helpful to you.

-Vikram

New Member

Re: Deny HTTPS "CONNECT" to ip-base url @ ASA/FWSM

hi.

thanks for the info. appreaciate the help that i received.

anyway, the real problem is due to this software which can bypass content filtering and firewall configuration. http://www.ultrareach.net/

on the content filtering server, we have manage it by applying deny "connect" regex ip addresses url. so i was thinking if there is anyway we can eliminate it on fwsm in case if the lan do not have content filtering servers.

i will check in the near future as i dont have any spare asa for now, and i will responce for any update later. thank you

341
Views
0
Helpful
8
Replies