Cisco ASA - HTTP Filtering - Example 3

Within our last article we looked at 2 configuration examples using the Cisco ASA`s Modular Policy Framework (MPF) to allow or deny traffic via HTTP inspection.

This example will provide the required configuration to allow a single IP address access to TCP port 80 when the HTTP Host Header matches either or

Note : In addition to the commands below you will also need to grant the relevant access via your interface based ACL`s. This is because your HTTP traffic will first hit interface based ACL`s before reaching the ASA`s application inspection layer.

Configure Regex

Create regular expressions

regex urldeny "EXAMPLE1\.DOMAIN\.net|EXAMPLE2\.DOMAIN\.net"

Configure ACL

Define hosts that are forwarded to the MPF HTTP inspection policy.

access-list regex-urlfilter extended deny tcp [ALLOW IP] any eq 80
access-list regex-urlfilter extended permit tcp any any eq 80

Configure Match Conditions

Define match conditions - here we match any header that is equal to the previously defined regular expressions (urldeny).

class-map type inspect http match-all class-urlfilter1
  match request header host regex urldeny

Assign ACL`s

Assign previous access-lists to class-map.

class-map class-http-match1
   match access-list regex-urlfilter

Create Policy Map

Create policy map and assign the class map (class-urlfilter1). Against this class map an action is assigned.

policy-map type inspect http policy-urlfilter1
    class class-urlfilter1
      drop-connection log

Assign HTTP Inpsection Policy Map

Under the global_policy map, assign the http inspection policy map against the match class map (class-http-match1) .

policy-map url-packet-filter
  class class-urlfilter1
    inspect http policy-urlfilter1

Configure Service-Policy

Assign global_policy to all interfaces.

service-policy url-packet-filter interface outside

Tags: ASA