fir3net
PPS-Firenetbanner-780.5x190-30-03-17

Cisco ASA MPF URL Filtering

Within this tutorial will will look at 2 configuration examples in which we will use HTTP inspection within the Cisco ASA to allow access for certain hosts based on specific URL headers.

EXAMPLE 1

This example will show the required syntax to allow access to yahoo.com for any host within the network 10.1.1.0 255.255.0.0. HTTP traffic for any other host is permitted.

In addition to the commands below you will also need to grant the relevant access via your interface based ACL`s. This is because your HTTP traffic will first hit interface based ACL`s before reaching the ASA`s application inspection layer.

Your access-list will need to consist of a permit for http traffic from your host(s) through to any. An example would be :

access-list acl-inside-in extended permit tcp any any eq www
Steps

1. Create regular expressions

regex urlallow1 "yahoo\.com"

2. Define hosts that are either allowed access or not.

access-list acl-mpf-http1 extended permit tcp 10.1.1.0 255.255.0.0 any eq www
access-list acl-mpf-http1 extended deny ip any any

3. Define match conditions - here we match any header that is not equal to the previous defined regular expressions (urlallow1).

class-map type inspect http match-all class-http1 
match not request header host regex urlallow1

4. Assign previous access-lists to class-map.

class-map class-http-match1 
match access-list acl-mpf-http1

5. Create policy map and assign the class map (class-http1). Against this class map an action is assigned.

policy-map type inspect http policy-http1 
parameters
   class class-http1
       drop-connection log

6. Under the global_policy map,  assign the http inspection policy map against the match class map (class-http-match1) .

policy-map global_policy 
class class-http-match1
    inspect http policy-http1

7. Assign global_policy to all interfaces.

service-policy global_policy global

EXAMPLE 2

This example will show the required syntax to allows access to yahoo.com for any host apart from 192.168.1.100.

In addition to the commands below you will also need to grant the relevant access via your interface based ACL`s. This is because your HTTP traffic will first hit interface based ACL`s before reaching the ASA`s application inspection layer.

Your access-list will need to consist of a permit for http traffic from your host(s) through to any. An example would be :

access-list acl-inside-in extended permit tcp any any eq www

Steps

1. Create regular expressions

regex urlallow1 "yahoo\.com"

2. Define hosts that are either allowed access or not.

access-list acl-mpf-http1 extended deny tcp host 192.168.1.100 any eq www
access-list acl-mpf-http1 extended permit ip any any

3. Define match conditions - here we match any header that is not equal to the previous defined regular expressions (urlallow1).

class-map type inspect http match-all class-http1 
match not request header host regex urlallow1

4. Assign previous access-lists to class-map.

class-map class-http-match1 
match access-list acl-mpf-http1

5. Create policy map and assign the class map (class-http1). Against this class map an action is assigned.

policy-map type inspect http policy-http1 
parameters
   class class-http1
      drop-connection log

6. Under the global_policy map,  assign the http inspection policy map against the match class map (class-http-match1) .

policy-map global_policy 
class class-http-match1
    inspect http policy-http1

7. Assign global_policy to all interfaces.

service-policy global_policy global

Tags: ASA

About the Author

RDonato

R Donato

Rick Donato is the Founder and Chief Editor of Fir3net.com. He currently works as a Principal Network Security Engineer and has a keen interest in automation and the cloud.

You can find Rick on Twitter @f3lix001