Jump to content


How to block URL's in Cisco ASA 5510 ?


  • Please log in to reply
20 replies to this topic

#1 sco1984

sco1984

    Super Member

  • Members
  • PipPipPipPip
  • 501 posts
  • Gender:Male
  • Location:Asia
  • Interests:IT Infrastructure administration

Posted 08 October 2011 - 12:54 AM

Hello,

I have 1 Cisco ASA 5510 device. Has only firewall module.
I want to block several URL's.
Any hints how can I do that?

I tried by following Cisco URL/guide where we need to create URL maps etc and add access list. Didn't work. [ Tried in ASDM mode i.e. GUI ]
Also tried using regex command. But ASA says command not found.

Unfortunately I don't have expertise on Cisco which doesn't use policy based routing so in trouble.
  • 0

#2 MarkinManchester

MarkinManchester

    Village Elder

  • Veterans
  • PipPipPipPipPip
  • 3976 posts
  • Gender:Male
  • Location:Manchester

Posted 08 October 2011 - 12:59 AM

Its all here http://www.cisco.com...080940e04.shtml

Mark
  • 0

#3 sco1984

sco1984

    Super Member

  • Members
  • PipPipPipPip
  • 501 posts
  • Gender:Male
  • Location:Asia
  • Interests:IT Infrastructure administration

Posted 08 October 2011 - 01:01 AM

Its all here http://www.cisco.com...080940e04.shtml

Mark


Hello Mark,

Thanks for quick reply. I followed above URL only but didn't help. Posted Image
  • 0

#4 MarkinManchester

MarkinManchester

    Village Elder

  • Veterans
  • PipPipPipPipPip
  • 3976 posts
  • Gender:Male
  • Location:Manchester

Posted 08 October 2011 - 04:09 AM

<p>Its in the doc honestly</p>
<p> </p>
<p> </p>
<div>regex domainlist1 &quot;\.yahoo\.com&quot;</div>
<div>regex domainlist2 &quot;\.myspace\.com&quot;</div>
<div>regex domainlist3 &quot;\.youtube\.com&quot;</div>
<div> </div>
<div> </div>

  • 0

#5 sco1984

sco1984

    Super Member

  • Members
  • PipPipPipPip
  • 501 posts
  • Gender:Male
  • Location:Asia
  • Interests:IT Infrastructure administration

Posted 08 October 2011 - 05:39 AM

&lt;p&gt;Its in the doc honestly&lt;/p&gt;
&lt;p&gt; &lt;/p&gt;
&lt;p&gt; &lt;/p&gt;
&lt;div&gt;regex domainlist1 &amp;quot;\.yahoo\.com&amp;quot;&lt;/div&gt;
&lt;div&gt;regex domainlist2 &amp;quot;\.myspace\.com&amp;quot;&lt;/div&gt;
&lt;div&gt;regex domainlist3 &amp;quot;\.youtube\.com&amp;quot;&lt;/div&gt;
&lt;div&gt; &lt;/div&gt;
&lt;div&gt; &lt;/div&gt;


Cisco engineer sent me a pdf which had steps how to block certain url's using regex. But my ASA throws error stating that regex command not found.
  • 0

#6 MarkinManchester

MarkinManchester

    Village Elder

  • Veterans
  • PipPipPipPipPip
  • 3976 posts
  • Gender:Male
  • Location:Manchester

Posted 08 October 2011 - 07:22 AM

Sh ver ?
  • 0

#7 sco1984

sco1984

    Super Member

  • Members
  • PipPipPipPip
  • 501 posts
  • Gender:Male
  • Location:Asia
  • Interests:IT Infrastructure administration

Posted 08 October 2011 - 01:40 PM

How to check that? I connect to ASA using PuTTy ( version 0.56 ) to fire those regex commands. In general via puTTy it accepts reload command. I connect using SSH protocol from PuTTy.

I am not sure how to check sh version in ASA. Googled but didn't help.

ASA version: 8.3(1)
ASDM version: 6.3(1)
Device Type: ASA 5510
Firewall Mode: Routed


I have above info displaying when I run ASDM.

Edited by sco1984, 08 October 2011 - 01:47 PM.

  • 0

#8 MarkinManchester

MarkinManchester

    Village Elder

  • Veterans
  • PipPipPipPipPip
  • 3976 posts
  • Gender:Male
  • Location:Manchester

Posted 08 October 2011 - 08:01 PM

When you get this error can you capture the output and post it
  • 0

#9 MarkinManchester

MarkinManchester

    Village Elder

  • Veterans
  • PipPipPipPipPip
  • 3976 posts
  • Gender:Male
  • Location:Manchester

Posted 08 October 2011 - 10:18 PM

SOmething like this should work for you, just copy and paste as I think you may be trying to enter a command at the wrong level.

regex domainlist1 “\.dating\.dk”
regex domainlist2 “\.facebook\.dk”
regex domainlist3 “\.facebook\.com”
!
access-list inside_mpc extended permit tcp any any eq www
access-list inside_mpc extended permit tcp any any eq 8080
!
class-map type regex match-any DomainBlockList
match regex domainlist1
match regex domainlist2
match regex domainlist3
!
class-map type inspect http match-all BlockDomainsClass
match request header host regex class DomainBlockList
class-map inspection_default
match default-inspection-traffic
class-map httptraffic
match access-list inside_mpc
!
policy-map type inspect http http_inspection_policy
parameters
protocol-violation action drop-connection
match request method connect
drop-connection log
class BlockDomainsClass
reset log
!
policy-map inside-policy
class httptraffic
inspect http http_inspection_policy
!
service-policy inside-policy interface inside
  • 0

#10 sco1984

sco1984

    Super Member

  • Members
  • PipPipPipPip
  • 501 posts
  • Gender:Male
  • Location:Asia
  • Interests:IT Infrastructure administration

Posted 10 October 2011 - 06:14 PM

Hello Mark,

Getting error at last line.
Pls see this screenshot >> hxxp://imageshack.us/photo/my-images/832/asaox.jpg/
  • 0

#11 MarkinManchester

MarkinManchester

    Village Elder

  • Veterans
  • PipPipPipPipPip
  • 3976 posts
  • Gender:Male
  • Location:Manchester

Posted 10 October 2011 - 10:37 PM

You havent defined you inside and outside interfaces thats why you get the error
  • 0

#12 sco1984

sco1984

    Super Member

  • Members
  • PipPipPipPip
  • 501 posts
  • Gender:Male
  • Location:Asia
  • Interests:IT Infrastructure administration

Posted 10 October 2011 - 11:07 PM

You havent defined you inside and outside interfaces thats why you get the error


What can I do to define them?
As of now this firewall is the gateway for all vpn traffic i.e .10.110.1.1

Another 5510 is configured only for http access = proxy [ Squid linux ] + another internet line.
But actual problem is people remove proxy settings from web-browser and browse any sites via above link which I want to stop.

Unfortunately 5510 doesn't support policy based routing which is too bad for me.
Just wonder if I upgrade firmware any chances that I can get policy based routing option?
I saw new release of ASDM are available for 5510.
  • 0

#13 MarkinManchester

MarkinManchester

    Village Elder

  • Veterans
  • PipPipPipPipPip
  • 3976 posts
  • Gender:Male
  • Location:Manchester

Posted 11 October 2011 - 12:44 AM

Hi

do sh run and paste the config in your next post

Mark
  • 0

#14 sco1984

sco1984

    Super Member

  • Members
  • PipPipPipPip
  • 501 posts
  • Gender:Male
  • Location:Asia
  • Interests:IT Infrastructure administration

Posted 11 October 2011 - 05:23 PM

Hi

do sh run and paste the config in your next post

Mark


I have sent you "sh run" file just now via PM. Pls check it.
  • 0

#15 MarkinManchester

MarkinManchester

    Village Elder

  • Veterans
  • PipPipPipPipPip
  • 3976 posts
  • Gender:Male
  • Location:Manchester

Posted 11 October 2011 - 05:58 PM

yes I have it, which vlan do you want to apply this url filtering to?
  • 0

#16 sco1984

sco1984

    Super Member

  • Members
  • PipPipPipPip
  • 501 posts
  • Gender:Male
  • Location:Asia
  • Interests:IT Infrastructure administration

Posted 11 October 2011 - 06:34 PM

yes I have it, which vlan do you want to apply this url filtering to?



10.100.10.x
  • 0

#17 MarkinManchester

MarkinManchester

    Village Elder

  • Veterans
  • PipPipPipPipPip
  • 3976 posts
  • Gender:Male
  • Location:Manchester

Posted 12 October 2011 - 03:11 AM

Try something like this:

Configure Regex

Create regular expressions

regex urldeny "EXAMPLE1\.DOMAIN\.net|EXAMPLE2\.DOMAIN\.net"

Configure ACL

Define hosts that are forwarded to the MPF HTTP inspection policy.


access-list regex-urlfilter extended deny tcp [ALLOW IP x.x.x.x] 255.255.255.255 any eq 80
access-list regex-urlfilter extended permit tcp any any eq 80

Configure Match Conditions

Define match conditions - here we match any header that is equal to the previously defined regular expressions (urldeny).

class-map type inspect http match-all class-urlfilter1
match request header host regex urldeny

Assign ACL`s

Assign previous access-lists to class-map.


class-map class-http-match1
match access-list regex-urlfilter

Create Policy Map

Create policy map and assign the class map (class-urlfilter1). Against this class map an action is assigned.


policy-map type inspect http policy-urlfilter1
parameters
class class-urlfilter1
drop-connection log

Assign HTTP Inpsection Policy Map

Under the global_policy map, assign the http inspection policy map against the match class map (class-http-match1) .


policy-map url-packet-filter
class class-urlfilter1
inspect http policy-urlfilter1

Configure Service-Policy

Assign global_policy to all interfaces.

service-policy url-packet-filter interface LAN-10
  • 0

#18 sco1984

sco1984

    Super Member

  • Members
  • PipPipPipPip
  • 501 posts
  • Gender:Male
  • Location:Asia
  • Interests:IT Infrastructure administration

Posted 12 October 2011 - 10:31 PM

access-list regex-urlfilter extended deny tcp [ALLOW IP x.x.x.x] 255.255.255.255 any eq 80


Can't get above line. Can you pls elaborate? A bit confused about the "allow IP" in red bracket. deny & allow in same expression?
  • 0

#19 MarkinManchester

MarkinManchester

    Village Elder

  • Veterans
  • PipPipPipPipPip
  • 3976 posts
  • Gender:Male
  • Location:Manchester

Posted 13 October 2011 - 12:37 AM

[ALLOW IP x.x.x.x] is the IP or subnet you want to allow !!!!!!!!!

Mark
  • 0

#20 sco1984

sco1984

    Super Member

  • Members
  • PipPipPipPip
  • 501 posts
  • Gender:Male
  • Location:Asia
  • Interests:IT Infrastructure administration

Posted 13 October 2011 - 03:37 AM

[ALLOW IP x.x.x.x] is the IP or subnet you want to allow !!!!!!!!!

Mark


Thanks. I am really kind of dumb in understanding cmd commands in Cisco.

Good news is I managed to block URL's via ASDM by referring to this cisco URL >> hxxp://goo.gl/8Q5Zx
Created Regular expressions,added ACL and it worked !

My mistake was I was putting dot before creating expression value.
Correct expression value is > \.youtube\.com I was using dot at beginning.

Now, 2 new problems >>

- I added tcp/http & tcp/https + urllist1 & its value , urllist2 + value.
- Above setting now altogether blocking all https URL's on that specific link. [ but it isn't blocking all http URL's ]
- I added ACL in global access list as follows >>

source <any> destination <any> service tcp/http,tcp/https HTTP filtering scan block facebook,youtube etc [ for 10.100.10.x & another VLAN ]

I want to know how can I put multiple value's in single urllist value field?
And why all https web-sites are getting blocked? Is it because I have mentioned no specific https URL in blocked list?
Why I added tcp/https because wanted to ensure no1 can access fb using https.

Any hints?

Edited by sco1984, 13 October 2011 - 03:41 AM.

  • 0

#21 MarkinManchester

MarkinManchester

    Village Elder

  • Veterans
  • PipPipPipPipPip
  • 3976 posts
  • Gender:Male
  • Location:Manchester

Posted 13 October 2011 - 06:36 AM

Hi

The easiest way to admin these devices is via asdm.

Good luck

Mark
  • 0





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users