Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

PIX515 URL filtering doen't work

Dear collegues,

I have one outside interface with global IP address 1.1.1.1 and two inside.

Both inside interfaces restrict and non_restrict have private IP addresses.

I tried to filter some URLs on PIX515 IOS 7.2, only on restrict interface but my filter does not work.

I can access prohibited URL from restrict interface.

Could you tell me what's wrong in my URL filtering?

Here is my config:

PIX Version 7.2(2)

!

hostname pixfirewall

enable password 8Ry2YjIyt7RRXU24 encrypted

names

!

interface Ethernet0

nameif outside

security-level 0

ip address 1.1.1.1 255.255.255.252

!

interface Ethernet1

nameif restrict

security-level 50

ip address 192.168.2.1 255.255.255.128

!

interface Ethernet2

nameif non_restrict

security-level 100

ip address 192.168.2.129 255.255.255.192

!

passwd 2KFQnbNIdI.2KYOU encrypted

regex domainlist1 "\.facebook\.com"

regex domainlist2 "\.twitter\.com"

regex domainlist3 "\.youtube\.com"

ftp mode passive

access-list inside_mpc extended permit tcp any any eq www

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

nat (restrict) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 1.1.1.1 1

!

class-map type regex match-any DomainBlockList

match regex domainlist1

match regex domainlist2

match regex domainlist3

class-map inspection_default

match default-inspection-traffic

class-map type inspect http match-all BlockDomainsClass

match request header host regex class DomainBlockList

class-map httptraffic

match access-list inside_mpc

!

!

policy-map type inspect http http_inspection_policy

parameters

  protocol-violation action drop-connection log

class BlockDomainsClass

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

policy-map inside-policy

class httptraffic

  inspect http http_inspection_policy

!

service-policy global_policy global

service-policy inside-policy interface restrict

!

end

Everyone's tags (2)
1 REPLY
Purple

PIX515 URL filtering doen't work

Hi,

can you try inspecting http.

Regards.

Alain

Don't forget to rate helpful posts.
280
Views
0
Helpful
1
Replies
CreatePlease to create content