Home > Developer > Web Develop

Domain-based URL filtering on the ASA firewall

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

Experiment


Experimental topology diagram:

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/5C/15/wKioL1UaedbRN4XgAACgbIamcMM749.jpg "title=" 1.jpg " alt= "Wkiol1uaedbrn4xgaacgbiamcmm749.jpg"/>

Lab Environment:

Build a web site and DNS service on the server2008 Server , creating a domain name of benet.com and the accp.com two websites.

Experimental requirements:

First the client can access the two Web sites on the server, and after successful URL filtering on the firewall makes it impossible for clients to access the accp.com website.

Experimental steps:


First Configure each zone name and IP address on the ASA firewall:

Ciscoasa (config) # int e0/0

Ciscoasa (config-if) # Nameif inside

Ciscoasa (config-if) # IP Add 192.168.10.1 255.255.255.0

Ciscoasa (config-if) # no shut

Ciscoasa (config-if) # int E0/1

Ciscoasa (config-if) # Nameif outside

Ciscoasa (config-if) # IP Add 13.0.0.1 255.255.255.0

Ciscoasa (config-if) # no shut

Create two sites on the server, specifying the site location and domain name:


To create a accp.com Web site:

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/5C/1A/wKiom1UaeMeA9mIxAAFC5fjn9dY413.jpg "title=" 2.jpg " alt= "Wkiom1uaemea9mixaafc5fjn9dy413.jpg"/>

To create a benet.com Web site:


650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/5C/15/wKioL1UaehHwc9StAADpDGyTmNY123.jpg "title=" 3.jpg " alt= "Wkiol1uaehhwc9staadpdgytmny123.jpg"/>



Specify DNS host A Records:

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/5C/1A/wKiom1UaePmwcYqlAAFCnVoJXzM339.jpg "title=" 4.jpg " alt= "Wkiom1uaepmwcyqlaafcnvojxzm339.jpg"/>


650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/5C/15/wKioL1UaekCyMXJYAAFAU8X04tg740.jpg "title=" 5.jpg " alt= "Wkiol1uaekcymxjyaafau8x04tg740.jpg"/>


Test client Visitors two sites:


650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/5C/1A/wKiom1UaeR3S6N41AABwjXnzvP8676.jpg "style=" float: none; "title=" 6.jpg "alt=" Wkiom1uaer3s6n41aabwjxnzvp8676.jpg "/>

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/5C/15/wKioL1UaelriAhzjAABztMFgQAo324.jpg "style=" float: none; "title=" 7.jpg "alt=" Wkiol1uaelriahzjaabztmfgqao324.jpg "/>


Test Access succeeded:

Next, make URL filtering on the firewall so that clients cannot access the accp.com Web site.

configuration on the ASA:

The following three steps are required to do URL filtering ;

URL filtering

One, create a class-map ( class map ) to identify the transport traffic.

Ciscoasa (config) # access-list aclfile Permit tcp 192.168.10.0 255.255.255.0 an$// define ACL access Control List aclfile.

Ciscoasa (config) # Class-map Aclclass// Build class map aclclass.

Ciscoasa (config-cmap) # match access-list aclfile// match access control list.

Ciscoasa (config-cmap) # regex URL "\.accp\.com"// define regular expression, filter sites that are not allowed to be accessed.

Ciscoasa (config) # class-map type regex match-any urlclass// Build class map urlclass, keyword The Match-any represents any one match.

Ciscoasa (Config-cmap) # match Regex URL// call match regular expression.

Ciscoasa (CONFIG-CMAP) # EX

Ciscoasa (config) # class-map type Inspect HTTP httpclass// build class map to check traffic

Ciscoasa (CONFIG-CMAP) # Match request Header host Regex class Urlclass// call previously configured urlclass.

Two, create policy-map ( policy map ), associate Class-map

Ciscoasa (config) # policy-map type Inspect HTTP httppolicy// establish policy map.

Ciscoasa (CONFIG-PMAP) # class Httpclass//Call the class map that has been done to check http headers.

Ciscoasa (config-pmap-c) # drop-connection Log// discard and log logs.

Ciscoasa (config-pmap-c) # Policy-map Insidepolicy// The Access control list is manipulated to define the appropriate policy.

Ciscoasa (CONFIG-PMAP) # class Aclclass// Call the Access control list of the classes map.

Ciscoasa (config-pmap-c) # Inspect HTTP httppolicy// Check the defined policy mappings.

Third, apply the class-map to the interface.

Ciscoasa (config) # Service-policy Insidepolicy interface inside// apply on port.

To test using a client to access the accp.com Web site:


650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/5C/15/wKioL1UaenfQRbsyAAEN5Ob_2y0392.jpg "title=" 8.jpg " alt= "Wkiol1uaenfqrbsyaaen5ob_2y0392.jpg"/>


The results are displayed as unreachable:

Experiment completed


This article from "Joint efforts, common progress ~ ~" blog, please be sure to keep this source http://9067358.blog.51cto.com/9057358/1627040

Make domain-based URL filtering on the ASA firewall

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
url filtering servers cisco asa packet filtering firewall office 365 url filtering sophos url filtering asa firewall commands cisco asa firewall comparison cisco asa firewall models

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More