Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

Help with MPF configuration on ASA

Hi All,

I have a simple question regarding the ASA.

I need to block apps.facebook.com/onthefarm for all users in the company.

I don't want to block facebook, but just this site.

I realize I cannot do this with ACLs, but I've tried to implement Regular Expressions using MPF following the directions on this document:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940c5a.shtml

When I implement the following configuration, all Internet access is blocked!

Configuration:

############################################

access-list global_mpc extended permit tcp any any

regex facebook ''onthefarm''

class-map http-class

     match access-list global_mpc

class-map type regex match-any FacebookClass

     match regex facebook

policy-map type inspect http Facebook

     parameters

          protocol-violation action drop-connection

     match request uri regex facebook

          drop connection log

policy-map global_policy

     class_inspection_default

  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect xdmcp
class http-class

     inspect http Facebook

service-policy global-policy global

############################################

I thought that this would block only the regular expression ''onthefarm'' when HTTP traffic, but obviously I'm doing something wrong because all Internet traffic gets dropped.

Can somebody point me out in the right direction?

Thank you All!

Federico.

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Help with MPF configuration on ASA

Yours was breaking because of

     parameters

          protocol-violation action drop-connection

PK

5 REPLIES
Cisco Employee

Re: Help with MPF configuration on ASA

Federico,

Your solution is here https://supportforums.cisco.com/docs/DOC-1268#Block_specific_urls

I suggest you to use


regex blockex1 "/onthefarm"
regex blockex2 "apps\.facebook\.com"

class-map type inspect http match-all block-url-class
match request uri regex blockex1
match request header host regex blockex2

policy-map type inspect http block-url-policy
parameters
class block-url-class
  drop-connection log
policy-map global_policy
class inspection_default
  inspect http block-url-policy

service-policy global_policy global


I think yours would work too if you changed it a little:

access-list global_mpc extended permit tcp any any eq 80

regex facebook "onthefarm"

class-map http-class
     match access-list global_mpc
class-map type regex match-any FacebookClass
     match regex facebook
policy-map type inspect http Facebook
     parameters
     match request uri regex facebook
          drop connection log
policy-map global_policy
class http-class
     inspect http Facebook
service-policy global-policy global

I hope it helps.

PK

Re: Help with MPF configuration on ASA

Thank you very much, I am going to try it tonight since I don't want to disrupt the traffic during the day anymore ;-)

Just one last question...

I don't understand from the commands, how do I make sure that all HTTP traffic besides the one specified in the class-map is still permitted? I mean, I don't want to block all HTTP traffic again.

The behavior of the MPF is not like an ACL that there's a deny any any at the end?

Just a clarification from the commands that you gave me, so that I fully understand...

Thank you very much again and I'll let you know if it worked!

Federico.

Cisco Employee

Re: Help with MPF configuration on ASA

What is sent you will only block the HTTP GET thas match your url. There rest will not match it to do the "drop connection".

If you only want to filter specific hosts use

access-list user-acl extended deny tcp host 192.168.1.2 any eq www
access-list user-acl extended permit tcp any any eq www


class-map type inspect http match-any block-url-class
match request uri regex blockex1
match request header host regex blockex2
class-map block-user-class
match access-list user-acl

policy-map type inspect http block-url-policy
parameters
class block-url-class
  drop-connection
policy-map block-user-url-policy
class block-user-class
  inspect http block-url-policy

where the user-acl matches only the hosts that you want to be filtered when going to the pages.

The rest will be able to go anywhere.

PK

Re: Help with MPF configuration on ASA

Hi!

It worked great!

That was what I was looking for... I'm going to read more about Regex...

One thing, can you tell me why my first configuration was blocking all Internet traffic?

Thank you for your help!

Federico.

Cisco Employee

Re: Help with MPF configuration on ASA

Yours was breaking because of

     parameters

          protocol-violation action drop-connection

PK

1053
Views
0
Helpful
5
Replies