block website asa configuration

7/31/2019 Block Website ASA Configuration

1/26

ASA Configuration 8.x with ASDM 6.x

Complete these steps in order to configure the regular expressions and apply them into MPF to block the specificwebsites as shown.

1. Create Regular Expressions

Choose Configuration > Firewall> Objects > Regular Expressions and click Add under the tab RegularExpression in order to create regular expressions as shown.

a. Create a regular expression domainlist1 in order to capture the domain name yahoo.com.Click OK.

b. Create a regular expression domainlist2 in order to capture the domain name myspace.com.Click OK.

c. Create a regular expression domainlist3 in order to capture the domain name youtube.com.Click OK.


2/26

d. Create a regular expression urllist1 in order to capture the file extensions suchas exe, com and bat provided that the http version being used by web browser must be either 1.0or 1.1. Click OK.

e. Create a regular expression urllist2 in order to capture the file extensions suchas pif, vbs and wsh provided that the http version being used by web browser must be either 1.0or 1.1. Click OK.

f. Create a regular expression urllist3 in order to capture the file extensions suchas doc, xls and ppt provided that the http version being used by web browser must be either 1.0 or

1.1. Click OK.


3/26


4/26


5/26

b. Create a regular expression class URLBlockList in order to match any of the regular expressionsurllist1, urllist2, urllist3 and urllist4. Click OK.


6/26

Equivalent CLI Configuration

ASA CLI Configuration

ciscoasa#configure terminalciscoasa(config)#class-map type inspecthttp match-all BlockDomainsClassciscoasa(config-cmap)#match requestheader host regex class DomainBlockListciscoasa(config-cmap)#exitciscoasa(config)#class-map type regexmatch-any URLBlockListciscoasa(config-cmap)#match regexurllist1ciscoasa(config-cmap)#match regexurllist2ciscoasa(config-cmap)#match regexurllist3ciscoasa(config-cmap)#match regexurllist4ciscoasa(config-cmap)#exit

3. Inspect the identified traffic with Class maps


7/26

Choose Configuration > Firewall > Objects > Class Maps > HTTP > Add in order to create a class map toinspect the http traffic identified by various regular expressions as shown.

a. Create a class map AppHeaderClass in order to match the response header with regularexpressions captures.

Click OK

b. Create a class map BlockDomainsClass in order to match the request header with regularexpressions captures.


8/26

Click OK.

c. Create a class map BlockURLsClass in order to match the request uri with regular expressionscaptures.


9/26

Click OK.


ASA CLI Configurationciscoasa#configure terminalciscoasa(config)#class-map type inspecthttp match-all AppHeaderClassciscoasa(config-cmap)#match responseheader regex contenttype regexapplicationheaderciscoasa(config-cmap)#exitciscoasa(config)#class-map type inspecthttp match-all BlockDomainsClassciscoasa(config-cmap)#match request

header host regex class DomainBlockListciscoasa(config-cmap)#exitciscoasa(config)#class-map type inspecthttp match-all BlockURLsClassciscoasa(config-cmap)#match request uriregex class URLBlockListciscoasa(config-cmap)#exit


10/26

4. Set the actions for the matched traffic in the inspection policy

Choose Configuration > Firewall > Objects > Inspect Maps > HTTP in order to createa http_inspection_policy to set the action for the matched traffic as shown. Click OK.

a. Choose Configuration > Firewall > Objects > Inspect Maps > HTTP > http_inspection_policy(double click) and click Details > Add in order to set the actions for the various Classes createdso far.

b. Set the action as Drop Connection and Enable the logging for the Criterion as Request Methodand Value as connect.


11/26

Click OK

c. Set the action as Drop Connection and Enable the logging for the class AppHeaderClass .


12/26

Click OK.

d. Set the action as Reset and Enable the logging for the class BlockDomainsClass.


13/26

Click OK

e. Set the action as Reset and Enable the logging for the class BlockURLsClass.

Click OK.

Click Apply.



ciscoasa#configure terminalciscoasa(config)#policy-map type inspecthttp http_inspection_policyciscoasa(config-pmap)#parametersciscoasa(config-pmap-p)#match requestmethod connectciscoasa(config-pmap-c)#drop-connection

logciscoasa(config-pmap-c)#classAppHeaderClassciscoasa(config-pmap-c)#drop-connectionlogciscoasa(config-pmap-c)#classBlockDomainsClassciscoasa(config-pmap-c)#reset log


14/26

ciscoasa(config-pmap-c)#classBlockURLsClassciscoasa(config-pmap-c)#reset logciscoasa(config-pmap-c)#exitciscoasa(config-pmap)#exit

5. Apply the inspection http policy to the interface

Choose Configuration > Firewall > Service Policy Rules > Add > Add Service Policy Rule.

a. HTTP Traffica. Choose the Interface radio button with inside interface from the drop down menu and

Policy Name as inside-policy. Click Next.


15/26

b. Create a class map httptraffic and check the Source and Destination IP Address (usesACL). Click Next.


16/26

c. Choose the Source and Destination as any with service as tcp-udp/http. Click Next.


17/26

d. Check the HTTP radio button and click Configure.


18/26

e. Check the radio button Select a HTTP inspect map for the control over inspection asshown. Click OK.


19/26

f. Click Finish.

b. Port 8080 Traffica. Again, choose Add > Add Service Policy Rule.


20/26

b. Click Next.

c. Choose the radio button Add rule to existing traffic class and choose httptraffic fromthe drop down menu. Click Next.


21/26

d. Choose the Source and Destination as any with tcp/8080. Click Next.


22/26

e. Click Finish.


23/26

Click Apply.




24/26

ciscoasa#configure terminalciscoasa(config)#access-list inside_mpcextended permit tcp any any eq www

ciscoasa(config)#access-list inside_mpc

extended permit tcp any any eq 8080ciscoasa(config)#class-map httptrafficciscoasa(config-cmap)#match access-listinside_mpcciscoasa(config-cmap)#exitciscoasa(config)#policy-map inside-policyciscoasa(config-pmap)#class httptrafficciscoasa(config-pmap-c)#inspect httphttp_inspection_policyciscoasa(config-pmap-c)#exitciscoasa(config-pmap)#exit

ciscoasa(config)#service-policy inside-policy interface inside

Verify

Use this section in order to confirm that your configuration works properly.

TheOutput Interpreter Tool(registeredcustomers only) (OIT) supports certain show commands. Use the OIT to viewan analysis of show command output.

show running-config regexShows the regular expressions that have been configured

ciscoasa#show running-config regex regex urllist1

".*\.([Ee][Xx][Ee]|[Cc][Oo][Mm]|[Bb][Aa][Tt])HTTP/1.[01]"

regex urllist2".*\.([Pp][Ii][Ff]|[Vv][Bb][Ss]|[Ww][Ss][Hh])HTTP/1.[01]"

regex urllist3".*\.([Dd][Oo][Cc]|[Xx][Ll][Ss]|[Pp][Pp][Tt])HTTP/1.[01]"

regex urllist4".*\.([Zz][Ii][Pp]|[Tt][Aa][Rr]|[Tt][Gg][Zz])

HTTP/1.[01]" regex domainlist1 "\.yahoo\.com" regex domainlist2 "\.myspace\.com" regex domainlist3 "\.youtube\.com" regex contenttype "Content-Type" regex applicationheader "application/.*"

ciscoasa#
https://www.cisco.com/cgi-bin/Support/OutputInterpreter/home.plhttps://www.cisco.com/cgi-bin/Support/OutputInterpreter/home.plhttps://www.cisco.com/cgi-bin/Support/OutputInterpreter/home.plhttp://tools.cisco.com/RPF/register/register.dohttp://tools.cisco.com/RPF/register/register.dohttp://tools.cisco.com/RPF/register/register.dohttp://tools.cisco.com/RPF/register/register.dohttps://www.cisco.com/cgi-bin/Support/OutputInterpreter/home.pl


25/26


26/26

policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map type inspect http http_inspection_policy parameters

protocol-violation action drop-connection class AppHeaderClass drop-connection log match request method connect drop-connection log class BlockDomainsClass reset log class BlockURLsClass reset log policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp

inspect sip inspect xdmcp policy-map inside-policy class httptraffic inspect http http_inspection_policy !

ciscoasa#

show running-config service-policyDisplays all currently running service policy configurations

ciscoasa#show running-config service-policy

service-policy global_policy globalservice-policy inside-policy interface inside

show running-config access-listDisplays the access-list configuration that runs on the securityappliance

ciscoasa#show running-config access-list

access-list inside_mpc extended permit tcp any any eq www

access-list inside_mpc extended permit tcp any any eq8080ciscoasa#

block website asa configuration

Documents