Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Block domain/website http & https cisco pix 515e ver 8.2

Posted on 2010-08-16
13
Medium Priority
?
1,278 Views
Last Modified: 2013-11-16
I am trying to block a website with http and https ports on pix firewall ver 8.2 on it.

What is wrong with the code I have that is not blocking https?
how do I block everything (all ports) from one domain?
regex domainlist1 "\.facebook\.com"
access-list inside_blocked_Domains extended permit tcp any any eq www
access-list inside_blocked_Domains extended permit tcp any any eq https

class-map type regex match-any DomainBlockList
 match regex domainlist1

class-map type inspect http match-all BlockDomainsClass
 match request header host regex class DomainBlockList

class-map type inspect http match-all AppHeaderClass
 match response header regex contenttype regex applicationheader
AppHeaderClass 
 drop-connection log

class-map httptraffic
 match access-list inside_blocked_Domains
policy-map inside-policy
 class httptraffic
  inspect http http_inspection_policy

service-policy inside-policy interface inside

Open in new window

0
Comment
Question by:fm250
  • 7
  • 6
13 Comments
 
LVL 7

Expert Comment

by:joelvp
ID: 33449791
You need:

policy-map type inspect http http_inspection_policy
 parameters
 class BlockDomainsClass
  drop-connection
0
 
LVL 10

Author Comment

by:fm250
ID: 33449963
I still can get to:
https://www.facebook.com/
See my new applied config:

regex domainlist1 "\.facebook\.com"
access-list inside_blocked_Domains extended permit tcp any any eq www
access-list inside_blocked_Domains extended permit tcp any any eq https

class-map type regex match-any DomainBlockList
 match regex domainlist1

class-map type inspect http match-all BlockDomainsClass
 match request header host regex class DomainBlockList

class-map type inspect http match-all AppHeaderClass
 match response header regex contenttype regex applicationheader


policy-map type inspect http http_inspection_policy
 parameters
 class BlockDomainsClass
  drop-connection

class-map httptraffic
 match access-list inside_blocked_Domains

policy-map inside-policy
 class httptraffic
  inspect http http_inspection_policy

service-policy inside-policy interface inside

Open in new window

0
 
LVL 7

Expert Comment

by:joelvp
ID: 33450031
see no errors in this config. I have a working config with some minor differences.

This would be the following:

change:
regex domainlist1 "\.facebook\.com"
to
regex domainlist1 "facebook.com"

and
change
class-map type inspect http match-all BlockDomainsClass
 match request header host regex class DomainBlockList
to
class-map type inspect http match-all BlockDomainsClass
 match request header host regex domainlist1

othwerwise no clues really. Do you get hits on the access-list?
0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 
LVL 10

Author Comment

by:fm250
ID: 33450122
is yours working with https. is would be because the domain may have https on different port othe than 443.
also what do you mean by: Do you get hits on the access-list?
 
just FYI, I have changed it to what you have, and still get to the https portion.
0
 
LVL 7

Expert Comment

by:joelvp
ID: 33450137
ah sorry, this feature does not support https, only http
0
 
LVL 7

Expert Comment

by:joelvp
ID: 33450144
very annoying by the way.....
0
 
LVL 7

Accepted Solution

by:
joelvp earned 2000 total points
ID: 33450151
see also http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940e04.shtml
"
Note: HTTPS filtering is not supported on ASA. ASA cannot do deep packet inspection or inspection based on regular expression for HTTPS traffic, because in HTTPS, content of packet is encrypted (SSL).
"
0
 
LVL 10

Author Comment

by:fm250
ID: 33450165
what are the other options?
0
 
LVL 7

Expert Comment

by:joelvp
ID: 33450191
AFAIK you have to use a 3rd party filtering server such as websense
0
 
LVL 10

Author Comment

by:fm250
ID: 33450208
do you have an example of websense?
0
 
LVL 10

Author Comment

by:fm250
ID: 33450224
never mind with last question.
is there a way to block all port from specific domain/ip
0
 
LVL 7

Expert Comment

by:joelvp
ID: 33450245
Filtering on ip address is simple, but if you want to block facebook, you are not going to get all the ip addresses where facebook is running on. Or, maybe if you get them, they will change so this is high maintenance.
An additional product is required to get this functionality.
Is that your question?
0
 
LVL 10

Author Comment

by:fm250
ID: 33450252
thanks!
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses

926 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question