Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

How to block http://X.X.X.X/login.aspx from being accessed by internet?

Hi,

I have ASA 5510 (8.0.2), ASDM 6.1 and ASA-SSM-10 6.1. We have a web site located at DMZ with a Public IP address. It is accessible from Internet via the public IP address. While keeping web site access enabled, I need to block access to http://X.X.X.X/Login.aspx from Public IP addresses,ie, Internet. We still need to access to this link from inside.

1. I tried to create regular expressions with \x.x.x.x AND \X.X.X.\login.aspx

2. I created a regular expression class and allocated these two expressions to the class.

3. Then I created an http class map  with Criterion "Request URI" and the Value Regular Expression Class that I have created above (2) for http inspection policy.

4. Then I created an HTTP Inspect map and added inspection for the http class map that I have created(3) with the action "Reset" and log "Enable".

5.  Then I added a new service policy to outside interface.

6. Match criteria "source and Destination IP..."

7. Source : Any, Destination : X.X.X.X, service: tcp/http and enabled rule

8. At Protocol inspection, checked "HTTP" and clicked on Configuration

9. "Select a HTTP inspect map for the fine control..." and choose the inspection policy created above (3)

Unfortunately, aftyer this config change, we were still able to access to http://X.X.X.X/Login.aspx from bopth inside and outside.

Thanks in advance for any suggestions...

Semih

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: How to block http://X.X.X.X/login.aspx from being accessed b

check this link out:

https://supportforums.cisco.com/docs/DOC-1268#Block_specific_urls

Is this what you configured and it does not work?

-KS

7 REPLIES
Cisco Employee

Re: How to block http://X.X.X.X/login.aspx from being accessed b

check this link out:

https://supportforums.cisco.com/docs/DOC-1268#Block_specific_urls

Is this what you configured and it does not work?

-KS

Re: How to block http://X.X.X.X/login.aspx from being accessed b

Hi Kusankar,

Yes, I followed that link's instructions for "Block spefific uris". But with the following changes:

1. I used case insensitive regular expressions to cover login or login.aspx:

regex login2 "/[Ll][Oo][Gg][Ii][Nn].[Aa][Ss][Pp][Xx]"
regex login "/[Ll][Oo][Gg][Ii][Nn]"

2. I did not apply it to Global policy. Since I wanted to block only incoming requests from outside to our dmz, I applied it to outside interface and outside policy.

Now I can not even access to http:/X.X.X.X web site from outside.

Thanks

Semih

Re: How to block http://X.X.X.X/login.aspx from being accessed b

Hi Kusankar,

Just an update, it reached to http://X.X.X.X but extremely slow. It takes around 5 minutes to load the web site. It also blocks login.aspx. But if I remove the inspection, it loads in 10 seconds.

Thanks

Semih

Cisco Employee

Re: How to block http://X.X.X.X/login.aspx from being accessed b

Do you also have a CSC module?

Any errors on the interfaces? sh int | i errors

adding http inspection required packets to arrive in order on the ASA. If you recieve large amount of out of order packets then this is going to add latency.

-KS

Re: How to block http://X.X.X.X/login.aspx from being accessed b

Hi Kusankar,

No, we do not have CSC.

Actually, after I removed the second regular expression and left only login2 (login.aspx), it started working. Now, we can access to the web site at normal time and noone can access to http://X.X.X.X/login.aspx . There is one thing though, when people tries to access http://X.X.X.X/login.aspx the pc waits for 5-10 minutes before it fails to connect. Is there any way to decrease the time?

Thanks

Semih

Cisco Employee

Re: How to block http://X.X.X.X/login.aspx from being accessed b

You can change the action from "drop-connection" to reset. Then the browser will know right away that he was denied.

I hope it helps.

PK

Re: How to block http://X.X.X.X/login.aspx from being accessed b

Thanks everone for the help.

I have already used Kusankar's link for this. But it started working only after I used one parameter rather than 2.

For the delay in rejecting the access, I changed the action to reset rather than drop connection as recomended by pkampana; it did not do any changes. Currently, web site is accessible and /login.aspx is blocked. Therefore I will leave it as is for now.

Thanks again...

Semih

4491
Views
0
Helpful
7
Replies
CreatePlease to create content