Solved

Block domain/website http & https cisco pix 515e ver 8.2

Posted on 2010-08-16
13
1,227 Views
Last Modified: 2013-11-16
I am trying to block a website with http and https ports on pix firewall ver 8.2 on it.

What is wrong with the code I have that is not blocking https?
how do I block everything (all ports) from one domain?
regex domainlist1 "\.facebook\.com"

access-list inside_blocked_Domains extended permit tcp any any eq www

access-list inside_blocked_Domains extended permit tcp any any eq https



class-map type regex match-any DomainBlockList

 match regex domainlist1



class-map type inspect http match-all BlockDomainsClass

 match request header host regex class DomainBlockList



class-map type inspect http match-all AppHeaderClass

 match response header regex contenttype regex applicationheader

AppHeaderClass 

 drop-connection log



class-map httptraffic

 match access-list inside_blocked_Domains

policy-map inside-policy

 class httptraffic

  inspect http http_inspection_policy



service-policy inside-policy interface inside

Open in new window

0
Comment
Question by:fm250
  • 7
  • 6
13 Comments
 
LVL 7

Expert Comment

by:joelvp
ID: 33449791
You need:

policy-map type inspect http http_inspection_policy
 parameters
 class BlockDomainsClass
  drop-connection
0
 
LVL 10

Author Comment

by:fm250
ID: 33449963
I still can get to:
https://www.facebook.com/
See my new applied config:

regex domainlist1 "\.facebook\.com"

access-list inside_blocked_Domains extended permit tcp any any eq www

access-list inside_blocked_Domains extended permit tcp any any eq https



class-map type regex match-any DomainBlockList

 match regex domainlist1



class-map type inspect http match-all BlockDomainsClass

 match request header host regex class DomainBlockList



class-map type inspect http match-all AppHeaderClass

 match response header regex contenttype regex applicationheader





policy-map type inspect http http_inspection_policy

 parameters

 class BlockDomainsClass

  drop-connection



class-map httptraffic

 match access-list inside_blocked_Domains



policy-map inside-policy

 class httptraffic

  inspect http http_inspection_policy



service-policy inside-policy interface inside

Open in new window

0
 
LVL 7

Expert Comment

by:joelvp
ID: 33450031
see no errors in this config. I have a working config with some minor differences.

This would be the following:

change:
regex domainlist1 "\.facebook\.com"
to
regex domainlist1 "facebook.com"

and
change
class-map type inspect http match-all BlockDomainsClass
 match request header host regex class DomainBlockList
to
class-map type inspect http match-all BlockDomainsClass
 match request header host regex domainlist1

othwerwise no clues really. Do you get hits on the access-list?
0
 
LVL 10

Author Comment

by:fm250
ID: 33450122
is yours working with https. is would be because the domain may have https on different port othe than 443.
also what do you mean by: Do you get hits on the access-list?
 
just FYI, I have changed it to what you have, and still get to the https portion.
0
 
LVL 7

Expert Comment

by:joelvp
ID: 33450137
ah sorry, this feature does not support https, only http
0
 
LVL 7

Expert Comment

by:joelvp
ID: 33450144
very annoying by the way.....
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 7

Accepted Solution

by:
joelvp earned 500 total points
ID: 33450151
see also http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940e04.shtml
"
Note: HTTPS filtering is not supported on ASA. ASA cannot do deep packet inspection or inspection based on regular expression for HTTPS traffic, because in HTTPS, content of packet is encrypted (SSL).
"
0
 
LVL 10

Author Comment

by:fm250
ID: 33450165
what are the other options?
0
 
LVL 7

Expert Comment

by:joelvp
ID: 33450191
AFAIK you have to use a 3rd party filtering server such as websense
0
 
LVL 10

Author Comment

by:fm250
ID: 33450208
do you have an example of websense?
0
 
LVL 10

Author Comment

by:fm250
ID: 33450224
never mind with last question.
is there a way to block all port from specific domain/ip
0
 
LVL 7

Expert Comment

by:joelvp
ID: 33450245
Filtering on ip address is simple, but if you want to block facebook, you are not going to get all the ip addresses where facebook is running on. Or, maybe if you get them, they will change so this is high maintenance.
An additional product is required to get this functionality.
Is that your question?
0
 
LVL 10

Author Comment

by:fm250
ID: 33450252
thanks!
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
What are acceptable WiFi signal strengths 6 60
syslog id vs. msg 2 22
RDP ISR4321 Cisco Router 7 23
WLC 5508 controller configuration 4 20
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now