Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

How to configure the Cisco ASA to restrict application downloads and block access to particular domains

Resolution

Restrict access to selected domains with the HTTP Content Filtering feature available in Cisco Adaptive Security Appliance (ASA) software version 7.2.x.

This command output shows an example of how to configure the HTTP Content Filtering feature.

Note: This example blocks either through the request Host header (domainlist), /dir/file in URI (urllist), or by the server response that the HTTP header identifies as the application.

Hostname(config)#access-list httptraffic_acl extended permit tcp any any eq www

Refer to the Adding an Extended Access List section of Identifying Traffic with Access Lists for more information.

Hostname(config)#access-list httptraffic_acl extended permit tcp any any eq https

!--- Add proxy ports if you allow connections out on these ports.

Hostname(config)#access-list httptraffic_acl extended permit tcp any any eq 8080

!--- The maximum number of regular expressions per context is 2048.

!--- Each Regex is limited to 101 characters.

regex < domainlist1 > "yahoo.com"

regex < domainlist2 > ".*yahoo7.com.au.*"

!--- Regex to block requests that match file extensions.

regex < urllist1 > ".*\.([Ee][Xx][Ee]|[Cc][Oo][Mm]|[Bb][Aa][Tt])"

regex < urllist2 > ".*\.([Pp][Ii][Ff]|[Vv][Bb][Ss]|[Ww][Ss][Hh])"

regex < urllist3 > ".*\.([Dd][Oo][Cc]|[Xx][Ll][Ss]|[Pp][Pp][Tt])"

regex < urllist4 > ".*\.([Zz][Ii][Pp]|[Tt][Aa][Rr]|[Tt][Gg][Zz])"

regex < applicationheader > "application/.*"

regex < contenttype > "Content-Type"

Hostname(config)#class-map httptraffic

Hostname(config-cmap)#match access-list httptraffic_acl

Hostname(config)#class-map type regex match-any URLBlock_List

Hostname(config-cmap)#match regex urllist1

Hostname(config-cmap)#match regex urllist2

Hostname(config-cmap)#match regex urllist3

Hostname(config-cmap)#match regex urllist4


Hostname(config)#class-map type regex match-any DomainBlock_List


Hostname(config-cmap)#match regex domainlist1


Hostname(config-cmap)#match regex domainlist2

Hostname(config)#class-map type inspect http match-all AppHeader_Class

Hostname(config-cmap)#match response header regex contenttype regex applicationheader

Hostname(config)#class-map type inspect http match-all BlockURL_Class


Hostname(config-cmap)#match request uri regex class URLBlock_List

Hostname(config)#class-map type inspect http match-all BlockDomain_Class

Hostname(config-cmap)#match request header host regex class DomainBlock_List


Hostname(config)#policy-map type inspect http http_inspection_policy

!--- Stop proxy tunneling on monitored ports.

Hostname(config-pmap)#match request method connect

Hostname(config-pmap-c)#drop-connection log

Hostname(config-pmap)#class AppHeader_Class

!--- Reset in version 7.2.1 and later.


Hostname(config-pmap-c)#reset log

!--- Drop-connection log

Hostname(config-pmap)#class AppHeader_Class


Hostname(config-pmap-c)#reset log


Hostname(config-pmap)#class BlockDomain_Class

Hostname(config-pmap-c)#reset log

!--- Apply to either global policy or a specific inside_policy.

Hostname(config)#policy-map inside_policy

Hostname(config-pmap)#class httptraffic


Hostname(config-pmap-c)#inspect http http_inspection_policy

Hostname(config)#service-policy inside_policy interface inside

Refer to the Configuring the AIP SSM section of Intercepting and Responding to Network Attacks for more information on how to configure the SSM on the ASA.

You can also download the signature file from
Cisco Downloads.

Version history
Revision #:
1 of 1
Last update:
‎06-22-2009 05:05 PM
Updated by:
 
Labels (1)
Everyone's tags (3)
Comments
New Member

Excellent example.

But how can we restrict employees in a small business ( other than say 2 managers) to be able to go to only designated (say ten) business related sites, without using expensive URL filtering external servers like websence or N2H2?

Cisco routers allow that and I am sure some simple configuration is possible.

Please advise.

Thanks

New Member

I found an example here only for achieving exactly what I was looking for:

https://supportforums.cisco.com/docs/DOC-1268

Thanks