Taken from http://walshike.blogspot.com.au/2009/07/asa-regular-expression.html
ASA Regular Expression - Whitelist/Blacklist
The intent of this post is to show how you can permit specific web
sites from your inside hosts and block all others. In order to do this
URL (or IRI) filtering on the ASA you need to create few things.
• First off you need to decide what you want to allow by calling them
out in a regex statement:
!
regex urlreg1 "cisco.com"
regex urlreg2 "yahoo.com"
• Next we will group these statements under a class-map and call it whitelist:
!
class-map type regex match-any whitelist
match regex urlreg1
match regex urlreg2
• The class-map "goodclass" just assembles the URL's that are listed
in the "whitelist" and says match this.
!
class-map type inspect http match-all goodclass
match request header host regex class whitelist
• Now we need to create a class-map that blocks everything not in the
allowed list. This is done by creating the "badclass" and stating
"match not" for the whitelist.
!
class-map type inspect http match-all badclass
match not request header host regex class whitelist
• Here we are taking the "badclass" and "goodclass" and putting them
into a policy-map that has actions. In this case the action for the
"badclass" is to drop it
!
policy-map type inspect http regex-policy
parameters
class goodclass
class badclass
drop-connection
• The policy-map "global_policy" might already exist on the ASA (not
sure since I have hacked mine to hell) but in any case it calls out
the "class inspection_default" that has to exist on the box for the
statement under the "global_policy" to take. If you are missing it
here it is:
# class-map inspection_default
# match default-inspection-traffic
!
policy-map global_policy
class inspection_default
inspect http regex-policy
• This next statement applies the "global_policy" to the inside
interface. Once applied this will allow users on the trusted LAN to
access two sites - cisco.com and yahoo.com and thats it.
!
service-policy global_policy interface inside
Have fun with this one. Maybe call out some social networking sites in
the regex statement and change the actions in the policy-map
"regex-policy" to log the hits and see how often your users are
accessing those sites.
No comments:
Post a Comment