Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Problem with http inspection policy

Hi,

I'm using ASA5585 with Software Version 8.4(2) and Device Manager Version 6.4(5)

I'm having difficulties configure http inspection policy on this ASA.

My firewall mode is transparent.

My main goal here is to drop connection from user originating from interface test-inside to access outside porn website(ex: http://xvideos.com , porntube.com, etc.)

I already configure the ASA as shown below, but this ASA still didn't block the connection and the user from test-inside still can access the porn site.

Here is the log when the user from test-inside access the porn sites.

And, below is my config in ASA :

access-list inside_mpc extended permit tcp any any eq www

regex xvideos ".*xvideos.*"

regex porn-sites ".*[Pp][Oo][Rr][Nn].*"

regex xxx-sites ".*[Xx][Xx][Xx].*"

class-map httptraffic

match access-list inside_mpc

class-map type regex match-any block-sites

match regex xxx-sites

match regex xvideos

match regex porn-sites

class-map type inspect http match-all BlockURLsClass

match request uri regex class block-sites

!

!

policy-map type inspect http http_inspection_policy

parameters

  protocol-violation action drop-connection log

match request method connect

class BlockURLsClass

  reset log

policy-map inside-policy

class httptraffic

  inspect http http_inspection_policy

service-policy inside-policy interface test-inside

Please help.

Regards,

Handaya

1 REPLY
Cisco Employee

Problem with http inspection policy

Hi Handaya,

Please see this document for a config example on how to do this:

https://supportforums.cisco.com/docs/DOC-1268#Block_specific_urls

-Mike

756
Views
0
Helpful
1
Replies
CreatePlease to create content