Block domain/website http & https cisco pix 515e ver 8.2

I am trying to block a website with http and https ports on pix firewall ver 8.2 on it.

What is wrong with the code I have that is not blocking https?
how do I block everything (all ports) from one domain?
regex domainlist1 "\.facebook\.com"
access-list inside_blocked_Domains extended permit tcp any any eq www
access-list inside_blocked_Domains extended permit tcp any any eq https

class-map type regex match-any DomainBlockList
 match regex domainlist1

class-map type inspect http match-all BlockDomainsClass
 match request header host regex class DomainBlockList

class-map type inspect http match-all AppHeaderClass
 match response header regex contenttype regex applicationheader
AppHeaderClass 
 drop-connection log

class-map httptraffic
 match access-list inside_blocked_Domains
policy-map inside-policy
 class httptraffic
  inspect http http_inspection_policy

service-policy inside-policy interface inside

Open in new window

LVL 10
fm250Asked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
joelvpConnect With a Mentor Commented:
see also http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940e04.shtml
"
Note: HTTPS filtering is not supported on ASA. ASA cannot do deep packet inspection or inspection based on regular expression for HTTPS traffic, because in HTTPS, content of packet is encrypted (SSL).
"
0
 
joelvpCommented:
You need:

policy-map type inspect http http_inspection_policy
 parameters
 class BlockDomainsClass
  drop-connection
0
 
fm250Author Commented:
I still can get to:
https://www.facebook.com/
See my new applied config:

regex domainlist1 "\.facebook\.com"
access-list inside_blocked_Domains extended permit tcp any any eq www
access-list inside_blocked_Domains extended permit tcp any any eq https

class-map type regex match-any DomainBlockList
 match regex domainlist1

class-map type inspect http match-all BlockDomainsClass
 match request header host regex class DomainBlockList

class-map type inspect http match-all AppHeaderClass
 match response header regex contenttype regex applicationheader


policy-map type inspect http http_inspection_policy
 parameters
 class BlockDomainsClass
  drop-connection

class-map httptraffic
 match access-list inside_blocked_Domains

policy-map inside-policy
 class httptraffic
  inspect http http_inspection_policy

service-policy inside-policy interface inside

Open in new window

0
The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

 
joelvpCommented:
see no errors in this config. I have a working config with some minor differences.

This would be the following:

change:
regex domainlist1 "\.facebook\.com"
to
regex domainlist1 "facebook.com"

and
change
class-map type inspect http match-all BlockDomainsClass
 match request header host regex class DomainBlockList
to
class-map type inspect http match-all BlockDomainsClass
 match request header host regex domainlist1

othwerwise no clues really. Do you get hits on the access-list?
0
 
fm250Author Commented:
is yours working with https. is would be because the domain may have https on different port othe than 443.
also what do you mean by: Do you get hits on the access-list?
 
just FYI, I have changed it to what you have, and still get to the https portion.
0
 
joelvpCommented:
ah sorry, this feature does not support https, only http
0
 
joelvpCommented:
very annoying by the way.....
0
 
fm250Author Commented:
what are the other options?
0
 
joelvpCommented:
AFAIK you have to use a 3rd party filtering server such as websense
0
 
fm250Author Commented:
do you have an example of websense?
0
 
fm250Author Commented:
never mind with last question.
is there a way to block all port from specific domain/ip
0
 
joelvpCommented:
Filtering on ip address is simple, but if you want to block facebook, you are not going to get all the ip addresses where facebook is running on. Or, maybe if you get them, they will change so this is high maintenance.
An additional product is required to get this functionality.
Is that your question?
0
 
fm250Author Commented:
thanks!
0
All Courses

From novice to tech pro — start learning today.