Solved

Block domain/website http & https cisco pix 515e ver 8.2

Posted on 2010-08-16
13
1,220 Views
Last Modified: 2013-11-16
I am trying to block a website with http and https ports on pix firewall ver 8.2 on it.

What is wrong with the code I have that is not blocking https?
how do I block everything (all ports) from one domain?
regex domainlist1 "\.facebook\.com"

access-list inside_blocked_Domains extended permit tcp any any eq www

access-list inside_blocked_Domains extended permit tcp any any eq https



class-map type regex match-any DomainBlockList

 match regex domainlist1



class-map type inspect http match-all BlockDomainsClass

 match request header host regex class DomainBlockList



class-map type inspect http match-all AppHeaderClass

 match response header regex contenttype regex applicationheader

AppHeaderClass 

 drop-connection log



class-map httptraffic

 match access-list inside_blocked_Domains

policy-map inside-policy

 class httptraffic

  inspect http http_inspection_policy



service-policy inside-policy interface inside

Open in new window

0
Comment
Question by:fm250
  • 7
  • 6
13 Comments
 
LVL 7

Expert Comment

by:joelvp
Comment Utility
You need:

policy-map type inspect http http_inspection_policy
 parameters
 class BlockDomainsClass
  drop-connection
0
 
LVL 10

Author Comment

by:fm250
Comment Utility
I still can get to:
https://www.facebook.com/
See my new applied config:

regex domainlist1 "\.facebook\.com"

access-list inside_blocked_Domains extended permit tcp any any eq www

access-list inside_blocked_Domains extended permit tcp any any eq https



class-map type regex match-any DomainBlockList

 match regex domainlist1



class-map type inspect http match-all BlockDomainsClass

 match request header host regex class DomainBlockList



class-map type inspect http match-all AppHeaderClass

 match response header regex contenttype regex applicationheader





policy-map type inspect http http_inspection_policy

 parameters

 class BlockDomainsClass

  drop-connection



class-map httptraffic

 match access-list inside_blocked_Domains



policy-map inside-policy

 class httptraffic

  inspect http http_inspection_policy



service-policy inside-policy interface inside

Open in new window

0
 
LVL 7

Expert Comment

by:joelvp
Comment Utility
see no errors in this config. I have a working config with some minor differences.

This would be the following:

change:
regex domainlist1 "\.facebook\.com"
to
regex domainlist1 "facebook.com"

and
change
class-map type inspect http match-all BlockDomainsClass
 match request header host regex class DomainBlockList
to
class-map type inspect http match-all BlockDomainsClass
 match request header host regex domainlist1

othwerwise no clues really. Do you get hits on the access-list?
0
 
LVL 10

Author Comment

by:fm250
Comment Utility
is yours working with https. is would be because the domain may have https on different port othe than 443.
also what do you mean by: Do you get hits on the access-list?
 
just FYI, I have changed it to what you have, and still get to the https portion.
0
 
LVL 7

Expert Comment

by:joelvp
Comment Utility
ah sorry, this feature does not support https, only http
0
 
LVL 7

Expert Comment

by:joelvp
Comment Utility
very annoying by the way.....
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 7

Accepted Solution

by:
joelvp earned 500 total points
Comment Utility
see also http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940e04.shtml
"
Note: HTTPS filtering is not supported on ASA. ASA cannot do deep packet inspection or inspection based on regular expression for HTTPS traffic, because in HTTPS, content of packet is encrypted (SSL).
"
0
 
LVL 10

Author Comment

by:fm250
Comment Utility
what are the other options?
0
 
LVL 7

Expert Comment

by:joelvp
Comment Utility
AFAIK you have to use a 3rd party filtering server such as websense
0
 
LVL 10

Author Comment

by:fm250
Comment Utility
do you have an example of websense?
0
 
LVL 10

Author Comment

by:fm250
Comment Utility
never mind with last question.
is there a way to block all port from specific domain/ip
0
 
LVL 7

Expert Comment

by:joelvp
Comment Utility
Filtering on ip address is simple, but if you want to block facebook, you are not going to get all the ip addresses where facebook is running on. Or, maybe if you get them, they will change so this is high maintenance.
An additional product is required to get this functionality.
Is that your question?
0
 
LVL 10

Author Comment

by:fm250
Comment Utility
thanks!
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
This video discusses moving either the default database or any database to a new volume.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now