Before we get started this will not work for https as the ASA cannot do Deep Packet inspection based on regular expressions because the content of the packet is encrypted.

You would need an IPS module or similar to be able to do this or pass the traffic to a websense server for example.

Block Specific URLS

Lets say you want to block some specific urls such as cisco.com and URI’s that contain /test/ you would want to do the following:

regex blockex1 “/test/”
regex blockex2 “cisco\.com”

class-map type inspect http match-any block-url-class
match request uri regex blockex1
match request header host regex blockex2

policy-map type inspect http block-url-policy
parameters
class block-url-class
drop-connection log
policy-map global_policy
class inspection_default
inspect http block-url-policy

service-policy global_policy global

Allow all URLS for specific users and block everyone else

Lets now say you want to allow all traffic from the administrators IP’s and block specific traffic for everyone else:

regex blockex1 “/test/”
regex blockex2 “cisco\.com”

access-list user-acl extended deny tcp host 192.168.1.2 any eq www
access-list user-acl extended permit tcp any any eq www
class-map type inspect http match-any block-url-class
match request uri regex blockex1
match request header host regex blockex2
class-map block-user-class
match access-list user-acl

policy-map type inspect http block-url-policy
parameters
class block-url-class
drop-connection
policy-map block-user-url-policy
class block-user-class
inspect http block-url-policy

service-policy block-user-url-policy interface inside

Allow Only Cisco.com

regex allowex2 “cisco\.com”

class-map type inspect http match-all allow-url-class
match not request header host regex allowex2

policy-map type inspect http allow-url-policy
parameters
class allow-url-class
drop-connection log
policy-map global_policy
class inspection_default
inspect http allow-url-policy

service-policy global_policy global

Allow specific URL’s

regex allowex1 “/test/”
regex allowex2 “cisco\.com”

class-map type inspect http match-all allow-url-class
match not request uri regex allowex1
match not request header host regex allowex2

policy-map type inspect http allow-url-policy
parameters
class allow-url-class
drop-connection log
policy-map global_policy
class inspection_default
inspect http allow-url-policy

service-policy global_policy global

Same Domain Allow or Deny

1. deny facebook.com

2. allow developer.facebook.com which gets redirected automatically to developers.facebook.com

3. and all other domains like yahoo.com and google.com

regex block-fb “.*facebook\.com”
regex allow-fb “developer[s]*\.facebook\.com”

!
class-map type regex match-any block-fb
match regex block-fb
class-map type regex match-any allow-regex-class
match regex allow-fb
!
policy-map type inspect http http-inspect-pol
parameters
match not request header host regex class allow-regex-class
match request header host regex class block-fb
reset log

class-map http-class
match port tcp eq www

policy-map http-traffic
class http-class
inspect http http-inspect-pol
!
service-policy http-traffic interface inside

Leave a Reply

Your email address will not be published. Required fields are marked *