Solved

Block domain/website http & https cisco pix 515e ver 8.2

Posted on 2010-08-16
13
1,251 Views
Last Modified: 2013-11-16
I am trying to block a website with http and https ports on pix firewall ver 8.2 on it.

What is wrong with the code I have that is not blocking https?
how do I block everything (all ports) from one domain?
regex domainlist1 "\.facebook\.com"
access-list inside_blocked_Domains extended permit tcp any any eq www
access-list inside_blocked_Domains extended permit tcp any any eq https

class-map type regex match-any DomainBlockList
 match regex domainlist1

class-map type inspect http match-all BlockDomainsClass
 match request header host regex class DomainBlockList

class-map type inspect http match-all AppHeaderClass
 match response header regex contenttype regex applicationheader
AppHeaderClass 
 drop-connection log

class-map httptraffic
 match access-list inside_blocked_Domains
policy-map inside-policy
 class httptraffic
  inspect http http_inspection_policy

service-policy inside-policy interface inside

Open in new window

0
Comment
Question by:fm250
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 6
13 Comments
 
LVL 7

Expert Comment

by:joelvp
ID: 33449791
You need:

policy-map type inspect http http_inspection_policy
 parameters
 class BlockDomainsClass
  drop-connection
0
 
LVL 10

Author Comment

by:fm250
ID: 33449963
I still can get to:
https://www.facebook.com/
See my new applied config:

regex domainlist1 "\.facebook\.com"
access-list inside_blocked_Domains extended permit tcp any any eq www
access-list inside_blocked_Domains extended permit tcp any any eq https

class-map type regex match-any DomainBlockList
 match regex domainlist1

class-map type inspect http match-all BlockDomainsClass
 match request header host regex class DomainBlockList

class-map type inspect http match-all AppHeaderClass
 match response header regex contenttype regex applicationheader


policy-map type inspect http http_inspection_policy
 parameters
 class BlockDomainsClass
  drop-connection

class-map httptraffic
 match access-list inside_blocked_Domains

policy-map inside-policy
 class httptraffic
  inspect http http_inspection_policy

service-policy inside-policy interface inside

Open in new window

0
 
LVL 7

Expert Comment

by:joelvp
ID: 33450031
see no errors in this config. I have a working config with some minor differences.

This would be the following:

change:
regex domainlist1 "\.facebook\.com"
to
regex domainlist1 "facebook.com"

and
change
class-map type inspect http match-all BlockDomainsClass
 match request header host regex class DomainBlockList
to
class-map type inspect http match-all BlockDomainsClass
 match request header host regex domainlist1

othwerwise no clues really. Do you get hits on the access-list?
0
Is your NGFW recommended by NSS Labs?

Ours is! NSS Labs Next Generation Firewall Test gives the WatchGuard Firebox M4600 a "Recommended" rating! Curious where your NGFW landed on the  Security Value Map? See the map and download the full report today!

 
LVL 10

Author Comment

by:fm250
ID: 33450122
is yours working with https. is would be because the domain may have https on different port othe than 443.
also what do you mean by: Do you get hits on the access-list?
 
just FYI, I have changed it to what you have, and still get to the https portion.
0
 
LVL 7

Expert Comment

by:joelvp
ID: 33450137
ah sorry, this feature does not support https, only http
0
 
LVL 7

Expert Comment

by:joelvp
ID: 33450144
very annoying by the way.....
0
 
LVL 7

Accepted Solution

by:
joelvp earned 500 total points
ID: 33450151
see also http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940e04.shtml
"
Note: HTTPS filtering is not supported on ASA. ASA cannot do deep packet inspection or inspection based on regular expression for HTTPS traffic, because in HTTPS, content of packet is encrypted (SSL).
"
0
 
LVL 10

Author Comment

by:fm250
ID: 33450165
what are the other options?
0
 
LVL 7

Expert Comment

by:joelvp
ID: 33450191
AFAIK you have to use a 3rd party filtering server such as websense
0
 
LVL 10

Author Comment

by:fm250
ID: 33450208
do you have an example of websense?
0
 
LVL 10

Author Comment

by:fm250
ID: 33450224
never mind with last question.
is there a way to block all port from specific domain/ip
0
 
LVL 7

Expert Comment

by:joelvp
ID: 33450245
Filtering on ip address is simple, but if you want to block facebook, you are not going to get all the ip addresses where facebook is running on. Or, maybe if you get them, they will change so this is high maintenance.
An additional product is required to get this functionality.
Is that your question?
0
 
LVL 10

Author Comment

by:fm250
ID: 33450252
thanks!
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question