URL filtering based on ASA firewall

Source: Internet
Author: User
Tags map class

URL filtering based on ASA firewall


The following describes the experiment procedure. You only need to disable the routing function on SW1 and SW2. The following is an operation on the ASA firewall to start the startup-config configuration file of ASA.

Configure the IP address of the ASA firewall, set the corresponding region, and perform a NAT address translation.

After the configuration is complete, you can connect to each other. Next, check the IP Address Configuration of the client. The configuration of the local connection 2 loopback Nic is as follows.

Next, check the IP Address Configuration of the linux server. First, check that the connection Nic VMnet1 is connected to the topology, and set VMnet1 on the host to automatically get it.

Edit the IP address, subnet mask, and gateway address of the linux server.

Next we will perform the DNS service, disable the firewall and SElinux, install the DNS service, and edit the NDS service configuration file.
Note that you must configure the accp.com. zone and benet.com. zone in the record area of the main sentence. Then restart the DNS service and use the host to properly resolve the two domain names.

The following figure shows how to configure the apache service. By default, the system has been installed. You only need to enable the Service, but some prompts are displayed when you enable the service directly. These prompts do not affect the use of the apache service.

Switch to the/etc/httpd/conf. d/directory and edit the two web sites based on different host names.
You can use the client's browser and enter the domain name for access testing. What I want to do below is to filter out accp websites by using URL domain names on the ASA firewall.

The following are the highlights of today ...... Url filtering: Creates a class-map class ing to identify the transmission traffic.
Access-list aclfile extended permit tcp 192.168.100.0 255.255.255.0 any eq 80 // define the ACL access Control list aclfile. Pay attention to the network segment and do not copy it.
Class-map aclclass // create class ing aclclass
Match access-list aclfile // match the access control list
Before defining a regular expression, determine the (Domain Name) KEYWORDS contained in the url
Regex url "\. accp \. com" // * do not reverse the slash *//
Create a class uring urlclass and call the regular expression matching.
Class-map type regex match-any urlclass
Match regex url
Establish a class ing for traffic check and check whether the IP packet header is http traffic.
Class-map type inspect http httpclass
Match request header host regex class urlclass // specify the name of the configured urlclass in the green box.

Create a policy-map policy ing and associate it with class-map. Either this link is allowed or discarded. Generally, policies are applied to the inside (inbound) interface. Only one policy ing can be applied to one interface.
Policy-map type inspect http httppolicy // create policy ing
Class httpclass // call the class ing that has been done to check the http Header
Drop-connection log // discard and record the log
Policy-map insidepolicy // operate on the access control list and define the corresponding policy
Class aclclass // call the class ing of the access control list
Inspect http httppolicy // check the defined policy ing //

Service-policy insidepolicy interface inside // application on the inside port //

Next, perform the access again. At this time, you 'd better refresh the cache first.

During the next visit, the benet website can still be accessed normally, while the accp website cannot be accessed.


Experiment conclusion: URL filtering can also be defined directly in the hosts file of the host. However, it is necessary to set one internal client and one server. The workload is huge and it is easy to be tampered. Therefore, it is convenient and secure to use the ASA firewall.

The filter statements, definition types, and names of all types of URLs in the ASA must not be confused. I hope you will be careful and check more.
 

 

 

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.