{"id":513,"date":"2011-01-17T20:04:45","date_gmt":"2011-01-17T20:04:45","guid":{"rendered":"https:\/\/fir3netwp.gmsrrpobkbd.com\/2011\/01\/17\/cisco-asa-mpf-url-filtering\/"},"modified":"2021-07-30T18:37:20","modified_gmt":"2021-07-30T18:37:20","slug":"cisco-asa-mpf-url-filtering","status":"publish","type":"post","link":"https:\/\/www.fir3net.com\/Firewalls\/Cisco\/url-inspection.html","title":{"rendered":"Cisco ASA MPF URL Filtering"},"content":{"rendered":"
Within this tutorial will will look at 2 configuration examples in which we will use HTTP inspection within the Cisco ASA to allow access for certain hosts based on specific URL headers.<\/p>\n
This example will show the required syntax to allow access to yahoo.com for any host within the network 10.1.1.0 255.255.0.0. HTTP traffic for any other host is permitted.<\/p>\n
In addition to the commands below you will also need to grant the relevant access via your interface based ACL`s. This is because your HTTP traffic will first hit interface based ACL`s before reaching the ASA`s application inspection layer.<\/p>\n
Your access-list will need to consist of a permit for http traffic from your host(s) through to any. An example would be :<\/p>\n
access-list acl-inside-in extended permit tcp any any eq www<\/pre>\nSteps<\/strong><\/h5>\n
1. Create regular expressions<\/p>\n
regex urlallow1 \"yahoo\\.com\"<\/pre>\n2. Define hosts that are either allowed access or not.<\/p>\n
access-list acl-mpf-http1 extended permit tcp 10.1.1.0 255.255.0.0 any eq www\r\naccess-list acl-mpf-http1 extended deny ip any any<\/pre>\n3. Define match conditions – here we match any header that is not equal to the previous defined regular expressions (urlallow1).<\/p>\n
class-map type inspect http match-all class-http1 \r\n match not request header host regex urlallow1<\/pre>\n4. Assign previous access-lists to class-map.<\/p>\n
class-map class-http-match1 \r\n match access-list acl-mpf-http1<\/pre>\n5. Create policy map and assign the class map (class-http1). Against this class map an action is assigned.<\/p>\n
policy-map type inspect http policy-http1 \r\n parameters \r\n\u00a0\u00a0 class class-http1 \r\n\u00a0\u00a0\u00a0 \u00a0\u00a0 drop-connection log<\/pre>\n6. Under the global_policy map,\u00a0 assign the http inspection policy map against the match class map (class-http-match1) .<\/p>\n
policy-map global_policy \r\n class class-http-match1 \r\n\u00a0\u00a0\u00a0 inspect http policy-http1<\/pre>\n7. Assign global_policy to all interfaces.<\/p>\n
service-policy global_policy global<\/pre>\nEXAMPLE 2<\/strong><\/h4>\n
This example will show the required syntax to allows access to yahoo.com for any host apart from 192.168.1.100.<\/p>\n
In addition to the commands below you will also need to grant the relevant access via your interface based ACL`s. This is because your HTTP traffic will first hit interface based ACL`s before reaching the ASA`s application inspection layer.<\/p>\n
Your access-list will need to consist of a permit for http traffic from your host(s) through to any. An example would be :<\/p>\n
access-list acl-inside-in extended permit tcp any any eq www<\/p>\n
Steps<\/strong><\/h5>\n
1. Create regular expressions<\/p>\n
regex urlallow1 \"yahoo\\.com\"<\/pre>\n2. Define hosts that are either allowed access or not.<\/p>\n
access-list acl-mpf-http1 extended deny tcp host 192.168.1.100 any eq www\r\naccess-list acl-mpf-http1 extended permit ip any any<\/pre>\n3. Define match conditions – here we match any header that is not equal to the previous defined regular expressions (urlallow1).<\/p>\n
class-map type inspect http match-all class-http1 \r\n match not request header host regex urlallow1<\/pre>\n4. Assign previous access-lists to class-map.<\/p>\n
class-map class-http-match1 \r\n match access-list acl-mpf-http1<\/pre>\n5. Create policy map and assign the class map (class-http1). Against this class map an action is assigned.<\/p>\n
policy-map type inspect http policy-http1 \r\n parameters \r\n\u00a0\u00a0 class class-http1 \r\n\u00a0\u00a0\u00a0\u00a0\u00a0 drop-connection log<\/pre>\n6. Under the global_policy map,\u00a0 assign the http inspection policy map against the match class map (class-http-match1) .<\/p>\n
policy-map global_policy \r\n class class-http-match1 \r\n\u00a0\u00a0\u00a0 inspect http policy-http1<\/pre>\n7. Assign global_policy to all interfaces.<\/p>\n
service-policy global_policy global<\/pre>\n","protected":false},"excerpt":{"rendered":"Within this tutorial will will look at 2 configuration examples in which we will use HTTP inspection within the Cisco ASA to allow access for certain hosts based on specific URL headers. EXAMPLE 1 This example will show the required syntax to allow access to yahoo.com for any host within the network 10.1.1.0 255.255.0.0. HTTP … Read more<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11],"tags":[],"yoast_head":"\n
Cisco ASA MPF URL Filtering - Fir3net<\/title>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\t\n\t\n\t\n