Within this tutorial will will look at 2 configuration examples in which we will use HTTP inspection within the Cisco ASA to allow access for certain hosts based on specific URL headers.
Table of Contents
EXAMPLE 1
This example will show the required syntax to allow access to yahoo.com for any host within the network 10.1.1.0 255.255.0.0. HTTP traffic for any other host is permitted.
In addition to the commands below you will also need to grant the relevant access via your interface based ACL`s. This is because your HTTP traffic will first hit interface based ACL`s before reaching the ASA`s application inspection layer.
Your access-list will need to consist of a permit for http traffic from your host(s) through to any. An example would be :
access-list acl-inside-in extended permit tcp any any eq www
Steps
1. Create regular expressions
regex urlallow1 "yahoo\.com"
2. Define hosts that are either allowed access or not.
access-list acl-mpf-http1 extended permit tcp 10.1.1.0 255.255.0.0 any eq www access-list acl-mpf-http1 extended deny ip any any
3. Define match conditions – here we match any header that is not equal to the previous defined regular expressions (urlallow1).
class-map type inspect http match-all class-http1 match not request header host regex urlallow1
4. Assign previous access-lists to class-map.
class-map class-http-match1 match access-list acl-mpf-http1
5. Create policy map and assign the class map (class-http1). Against this class map an action is assigned.
policy-map type inspect http policy-http1 parameters class class-http1 drop-connection log
6. Under the global_policy map, assign the http inspection policy map against the match class map (class-http-match1) .
policy-map global_policy class class-http-match1 inspect http policy-http1
7. Assign global_policy to all interfaces.
service-policy global_policy global
EXAMPLE 2
This example will show the required syntax to allows access to yahoo.com for any host apart from 192.168.1.100.
In addition to the commands below you will also need to grant the relevant access via your interface based ACL`s. This is because your HTTP traffic will first hit interface based ACL`s before reaching the ASA`s application inspection layer.
Your access-list will need to consist of a permit for http traffic from your host(s) through to any. An example would be :
access-list acl-inside-in extended permit tcp any any eq www
Steps
1. Create regular expressions
regex urlallow1 "yahoo\.com"
2. Define hosts that are either allowed access or not.
access-list acl-mpf-http1 extended deny tcp host 192.168.1.100 any eq www access-list acl-mpf-http1 extended permit ip any any
3. Define match conditions – here we match any header that is not equal to the previous defined regular expressions (urlallow1).
class-map type inspect http match-all class-http1 match not request header host regex urlallow1
4. Assign previous access-lists to class-map.
class-map class-http-match1 match access-list acl-mpf-http1
5. Create policy map and assign the class map (class-http1). Against this class map an action is assigned.
policy-map type inspect http policy-http1 parameters class class-http1 drop-connection log
6. Under the global_policy map, assign the http inspection policy map against the match class map (class-http-match1) .
policy-map global_policy class class-http-match1 inspect http policy-http1
7. Assign global_policy to all interfaces.
service-policy global_policy global
- How to Configure a BIND Server on Ubuntu - March 15, 2018
- What is a BGP Confederation? - March 6, 2018
- Cisco – What is BGP ORF (Outbound Route Filtering)? - March 5, 2018
Want to become an IT Security expert?
Here is our hand-picked selection of the best courses you can find online:
Internet Security Deep Dive course
Complete Cyber Security Course – Hackers Exposed
CompTIA Security+ (SY0-601) Certification Complete course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial