ASA firewall URL filtering

1. Create a class-map to identify transmission traffic

Config: access-list tcp_filter1 permit tcp 192.168.1.0 255.255.0 any eq www

Class-map tcp_filter_class1

Config-cmap: match access-list tcp_filter1 # class-map defines the allowed traffic

Exit

// Define a policy expression named url1, indicating that the URL suffix is ".games.com"

Config: regex url1 "\. games \. com"

// Create a class-map named url_class1 with the regex type

Config: class-map type regex match-any url_class1

|

| Match any

Config-map: match regex url1

Exit

// Create a class-map named http_url_class1 with the type of inspect http to check http traffic)

Config: class-map type inspect http http_url_class1

Config-cmap: match request header host regex class url_class1

2. Create policy-map and associate it with class-map.

Config: policy-map type inspect http http_url_policy1

Config-pmap: class http_url_class1 # Call the previously created class-map

Config-pmap-c: drop-connection log # drop data packets, close the connection, and send system logs

Exit

Exit

Config: policy-map inside_http_url_policy

Config-pmap: class tcp_filter-class1 # Call the previously created class-map

Config-pmap-c: inspect http http_url_policy1 # Check http traffic

Exit

Exit

3. Apply policy-map to the interface.

Config: service-policy inside_http_url_policy1 interface inside

Note: Only one policy-map can be applied to an interface.

This article from "I Am a rookie I am afraid of who" blog, please be sure to keep this source http://jialeide.blog.51cto.com/5597512/1304588