ASA-URL advanced pack Filter

Allow 192.168.0.0/24 to access the website with the domain name www.out.com. You cannot access the website with the domain name www.kkgame.com
ASA # sh run
: Saved
:
ASA Version 8.0 (2)
!
Hostname ASA
Enable password 8Ry2YjIyt7RRXU24 encrypted
Names
!
Interface Ethernet0/0
Nameif inside
Security-level 100
Ip address 192.168.1.1 255.255.255.0
!
Interface Ethernet0/1
Nameif dmz
Security-level 50
Ip address 192.168.2.1 255.255.255.0
!
Interface Ethernet0/2
Nameif outside
Security-level 0
Ip address 100.0.0.2 255.255.255.252
!
Interface Ethernet0/3
Shutdown
No nameif
No security-level
No ip address
!
Interface Ethernet0/4
Shutdown
No nameif
No security-level
No ip address
!
Interface Ethernet0/5
Shutdown
No nameif
No security-level
No ip address
!
Passwd 2745OAJS2l2oSQqc encrypted
Regex urll "\. out \. com"
Ftp mode passive
Access-list 10 standard permit any
Access-list dmz-to-inside extended permit tcp any host 192.168.1.2 eq www
Access-list out-to-in extended permit tcp any host 192.168.1.2 eq www
Access-list tcp-in extended permit tcp 192.168.0.0 255.255.0 any eq www
Access-list out-to-dmz extended permit tcp any host 192.168.2.2 eq www
Access-list dmz-to-out extended permit tcp any host 100.0.0.1 eq www
Pager lines 24
Mtu inside 1500
Mtu outgoing side 1500
Mtu dmz 1500
No failover
Icmp unreachable rate-limit 1 burst-size 1
No asdm history enable
Arp timeout 14400
Access-group out-to-dmz in interface outside
Access-group dmz-to-out in interface dmz
Timeout xlate 3:00:00
Timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
Timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
Timeout uauth 0:05:00 absolute
Dynamic-access-policy-record DfltAccessPolicy
No snmp-server location
No snmp-server contact
Snmp-server enable traps snmp authentication linkup linkdown coldstart
No crypto isakmp nat-traversal
Telnet 0.0.0.0 0.0.0.0 inside
Telnet timeout 5
Ssh 0.0.0.0 0.0.0.0 inside
Ssh timeout 5
Console timeout 0
Threat-detection basic-threat
Threat-detection statistics access-list
!
Class-map type regex match-any urll-out
Match regex urll
Class-map tcp-inside
Match access-list tcp-in
Class-map type inspect http match-all http-urll-out
Match not request header host regex class urll-out
!
!
Policy-map type inspect http-url-out
Parameters
Class http-urll-out
Drop-connection log
Policy-map inside-http-url-out
Class tcp-inside
Inspect http-url-out
!
Service-policy inside-http-url-out interface inside
Prompt hostname context
Cryptochecksum: b8f570c38a4cd2ded04312c6fcf89010
: End
 
Specific Configuration:
Ga sets that the specified host can only access the website with the suffix .out.com, and denies access to other websites.
Access-list tcp-filter permit tcp 192.168.0.0 255.255.255.240 any eq www
Class-map tcp-filter-class
Match access-list tcp-filter
Exit
Regex urll "\. out \. com"
Class-map type regex match-any url-class
Match regex urll
Exit
Class-map type inspect http-url-class
Match not request header host regex class url-class
Exit
Policy-map type inspect http-url-policy
Class http-url-class
Drop-connection log
Exit
Exit
Policy-map inside-http-url-policy
Class tcp-filter-class
Inspect http-url-policy
Exit
Exit
Service-policy inside-http-url-policy interface inside
 
The client can only access www.out.com on the specified network segment, but cannot access www.kkgame.com.
If the client is not in the above network segment, both websites can access

 
Allows all hosts to access www.kkgame.com.
Access-list tcp-filter2 permit tcp any eq www
Class-map tcp-filter-class2
Match access-list tcp-filter2
Exit
Regex url2 "\. kkgame \. com"
Class-map type regex match-any url-class2
Match regex url2
Exit
Class-map type inspect http http-url-class2
Match not request header host regex class url-class2
Exit
Policy-map type inspect http http-url-policy2
Class http-url-class2
Drop-connection log
Exit
Exit
Policy-map inside-http-url-policy
Class tcp-filter-class2
Inspect http http-url-policy2
Exit
Exit
Service-policy inside-http-url-policy interface inside
 
 
 
 
Clear configure service-policy
Clear configure policy-map
Clear configure class-map
Clear configure regex
Clear configure access-list
This article is from the "Flying hope" blog