This example will provide the required configuration to allow a single IP address access to TCP port 80 when the HTTP Host Header matches either EXAMPLE1.DOMAIN.net or EXAMPLE2.DOMAIN.net.
Note : In addition to the commands below you will also need to grant the relevant access via your interface based ACL`s. This is because your HTTP traffic will first hit interface based ACL`s before reaching the ASA`s application inspection layer.
Create regular expressions
regex urldeny “EXAMPLE1\.DOMAIN\.net|EXAMPLE2\.DOMAIN\.net”
Define hosts that are forwarded to the MPF HTTP inspection policy.
access-list regex-urlfilter extended deny tcp [ALLOW IP] 255.255.255.255 any eq 80
access-list regex-urlfilter extended permit tcp any any eq 80
Configure Match Conditions
Define match conditions – here we match any header that is equal to the previously defined regular expressions (urldeny).
class-map type inspect http match-all class-urlfilter1
match request header host regex urldeny
Assign previous access-lists to class-map.
match access-list regex-urlfilter
Create Policy Map
Create policy map and assign the class map (class-urlfilter1). Against this class map an action is assigned.
policy-map type inspect http policy-urlfilter1
Assign HTTP Inpsection Policy Map
Under the global_policy map, assign the http inspection policy map against the match class map (class-http-match1) .
inspect http policy-urlfilter1
Assign global_policy to all interfaces.
service-policy url-packet-filter interface outside
- How to Configure a BIND Server on Ubuntu - March 15, 2018
- What is a BGP Confederation? - March 6, 2018
- Cisco – What is BGP ORF (Outbound Route Filtering)? - March 5, 2018
Want to become an IT Security expert?
Here is our hand-picked selection of the best courses you can find online:
Internet Security Deep Dive course
Complete Cyber Security Course – Hackers Exposed
CompTIA Security+ (SY0-601) Certification Complete course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial