Solved

Block domain/website http & https cisco pix 515e ver 8.2

Posted on 2010-08-16
13
1,235 Views
Last Modified: 2013-11-16
I am trying to block a website with http and https ports on pix firewall ver 8.2 on it.

What is wrong with the code I have that is not blocking https?
how do I block everything (all ports) from one domain?
regex domainlist1 "\.facebook\.com"
access-list inside_blocked_Domains extended permit tcp any any eq www
access-list inside_blocked_Domains extended permit tcp any any eq https

class-map type regex match-any DomainBlockList
 match regex domainlist1

class-map type inspect http match-all BlockDomainsClass
 match request header host regex class DomainBlockList

class-map type inspect http match-all AppHeaderClass
 match response header regex contenttype regex applicationheader
AppHeaderClass 
 drop-connection log

class-map httptraffic
 match access-list inside_blocked_Domains
policy-map inside-policy
 class httptraffic
  inspect http http_inspection_policy

service-policy inside-policy interface inside

Open in new window

0
Comment
Question by:fm250
  • 7
  • 6
13 Comments
 
LVL 7

Expert Comment

by:joelvp
ID: 33449791
You need:

policy-map type inspect http http_inspection_policy
 parameters
 class BlockDomainsClass
  drop-connection
0
 
LVL 10

Author Comment

by:fm250
ID: 33449963
I still can get to:
https://www.facebook.com/
See my new applied config:

regex domainlist1 "\.facebook\.com"
access-list inside_blocked_Domains extended permit tcp any any eq www
access-list inside_blocked_Domains extended permit tcp any any eq https

class-map type regex match-any DomainBlockList
 match regex domainlist1

class-map type inspect http match-all BlockDomainsClass
 match request header host regex class DomainBlockList

class-map type inspect http match-all AppHeaderClass
 match response header regex contenttype regex applicationheader


policy-map type inspect http http_inspection_policy
 parameters
 class BlockDomainsClass
  drop-connection

class-map httptraffic
 match access-list inside_blocked_Domains

policy-map inside-policy
 class httptraffic
  inspect http http_inspection_policy

service-policy inside-policy interface inside

Open in new window

0
 
LVL 7

Expert Comment

by:joelvp
ID: 33450031
see no errors in this config. I have a working config with some minor differences.

This would be the following:

change:
regex domainlist1 "\.facebook\.com"
to
regex domainlist1 "facebook.com"

and
change
class-map type inspect http match-all BlockDomainsClass
 match request header host regex class DomainBlockList
to
class-map type inspect http match-all BlockDomainsClass
 match request header host regex domainlist1

othwerwise no clues really. Do you get hits on the access-list?
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 10

Author Comment

by:fm250
ID: 33450122
is yours working with https. is would be because the domain may have https on different port othe than 443.
also what do you mean by: Do you get hits on the access-list?
 
just FYI, I have changed it to what you have, and still get to the https portion.
0
 
LVL 7

Expert Comment

by:joelvp
ID: 33450137
ah sorry, this feature does not support https, only http
0
 
LVL 7

Expert Comment

by:joelvp
ID: 33450144
very annoying by the way.....
0
 
LVL 7

Accepted Solution

by:
joelvp earned 500 total points
ID: 33450151
see also http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940e04.shtml
"
Note: HTTPS filtering is not supported on ASA. ASA cannot do deep packet inspection or inspection based on regular expression for HTTPS traffic, because in HTTPS, content of packet is encrypted (SSL).
"
0
 
LVL 10

Author Comment

by:fm250
ID: 33450165
what are the other options?
0
 
LVL 7

Expert Comment

by:joelvp
ID: 33450191
AFAIK you have to use a 3rd party filtering server such as websense
0
 
LVL 10

Author Comment

by:fm250
ID: 33450208
do you have an example of websense?
0
 
LVL 10

Author Comment

by:fm250
ID: 33450224
never mind with last question.
is there a way to block all port from specific domain/ip
0
 
LVL 7

Expert Comment

by:joelvp
ID: 33450245
Filtering on ip address is simple, but if you want to block facebook, you are not going to get all the ip addresses where facebook is running on. Or, maybe if you get them, they will change so this is high maintenance.
An additional product is required to get this functionality.
Is that your question?
0
 
LVL 10

Author Comment

by:fm250
ID: 33450252
thanks!
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question