Cisco ASA - HTTP Filtering - Example 3
Within our last article we looked at 2 configuration examples using the Cisco ASA`s Modular Policy Framework (MPF) to allow or deny traffic via HTTP inspection.
This example will provide the required configuration to allow a single IP address access to TCP port 80 when the HTTP Host Header matches either EXAMPLE1.DOMAIN.net or EXAMPLE2.DOMAIN.net.
Note : In addition to the commands below you will also need to grant the relevant access via your interface based ACL`s. This is because your HTTP traffic will first hit interface based ACL`s before reaching the ASA`s application inspection layer.
Create regular expressions
regex urldeny "EXAMPLE1\.DOMAIN\.net|EXAMPLE2\.DOMAIN\.net"
Define hosts that are forwarded to the MPF HTTP inspection policy.
access-list regex-urlfilter extended deny tcp [ALLOW IP] 255.255.255.255 any eq 80
access-list regex-urlfilter extended permit tcp any any eq 80
Configure Match Conditions
Define match conditions - here we match any header that is equal to the previously defined regular expressions (urldeny).
class-map type inspect http match-all class-urlfilter1
match request header host regex urldeny
Assign previous access-lists to class-map.
match access-list regex-urlfilter
Create Policy Map
Create policy map and assign the class map (class-urlfilter1). Against this class map an action is assigned.
policy-map type inspect http policy-urlfilter1
Assign HTTP Inpsection Policy Map
Under the global_policy map, assign the http inspection policy map against the match class map (class-http-match1) .
inspect http policy-urlfilter1
Assign global_policy to all interfaces.
service-policy url-packet-filter interface outside