URL address filtering based on ASA firewall

650) this.width=650; "style=" Float:none; "title=" Picture 1.png "src=" http://s3.51cto.com/wyfs02/M01/6F/59/ Wkiom1wz6pua8yj_aaglhs2vzuw115.jpg "alt=" Wkiom1wz6pua8yj_aaglhs2vzuw115.jpg "/>

Proceed to the experimental process directly below. SW1 and the SW2 The above only needs to turn off the routing function on the line. The following is an operation on the ASA firewall that launches the startup-config configuration file for the ASA .

650) this.width=650; "style=" Float:none; "title=" Picture 2.png "src=" http://s3.51cto.com/wyfs02/M02/6F/57/ Wkiol1wz7gecxtrraanspuqji5s133.jpg "alt=" Wkiol1wz7gecxtrraanspuqji5s133.jpg "/>

then configure the IP Address of the ASA firewall , sets the appropriate zone, and makes a NAT address translation.

650) this.width=650; "style=" Float:none; "title=" Picture 3.png "src=" http://s3.51cto.com/wyfs02/M02/6F/57/ Wkiol1wz7gfzafzwaajhbjvptgc869.jpg "alt=" Wkiol1wz7gfzafzwaajhbjvptgc869.jpg "/>

at this point the configuration is complete to connect with each other. Below to check the IP address configuration of the client, the configuration of the local connection 2 Loopback network card is as follows.

650) this.width=650; "style=" Float:none; "title=" Picture 4.png "src=" http://s3.51cto.com/wyfs02/M02/6F/59/ Wkiom1wz6pytoeseaauj_ettzsu644.jpg "alt=" Wkiom1wz6pytoeseaauj_ettzsu644.jpg "/>

check it again. linux server IP address configuration, first check the connection network card VMnet1 to and topology map, host on the VMnet1 set to automatically get on the line.

650) this.width=650; "style=" Float:none; "title=" Picture 5.png "src=" http://s3.51cto.com/wyfs02/M00/6F/57/ Wkiol1wz7gjigbdhaakmacoixuq599.jpg "alt=" Wkiol1wz7gjigbdhaakmacoixuq599.jpg "/>

Edit the IP address, subnet mask, and gateway address of the Linux server .

650) this.width=650; "style=" Float:none; "title=" Picture 6.png "src=" http://s3.51cto.com/wyfs02/M00/6F/59/ Wkiom1wz6pywwblkaaktyx1odcs494.jpg "alt=" Wkiom1wz6pywwblkaaktyx1odcs494.jpg "/>

and then do the following DNS services, shutting down firewalls and SElinux, installing the DNS service, editing the NDS service configuration file, Here is just a reference to the DNS detailed process http://zhang2015.blog.51cto.com/9735109/1661890.

650) this.width=650; "style=" Float:none; "title=" Picture 7.png "src=" http://s3.51cto.com/wyfs02/M01/6F/57/ Wkiol1wz7gizqm7iaaj3pbztsye582.jpg "alt=" Wkiol1wz7gizqm7iaaj3pbztsye582.jpg "/>

Note to configure two main clauses record zone accp.com.zone and dns service, using host ok

650) this.width=650; "style=" Float:none; "title=" Picture 8.png "src=" http://s3.51cto.com/wyfs02/M02/6F/59/ Wkiom1wz6pyidzhzaasib7yrje0014.jpg "alt=" Wkiom1wz6pyidzhzaasib7yrje0014.jpg "/>

and here's the configuration Apache Service, the default system has been installed, as long as the activation of the line, but the direct activation will have some hints, these messages do not affect The use of Apache services.

650) this.width=650; "style=" Float:none; "title=" Picture 9.png "src=" http://s3.51cto.com/wyfs02/M01/6F/59/ Wkiom1wz6p7qjv6waatuhzpwmio060.jpg "alt=" Wkiom1wz6p7qjv6waatuhzpwmio060.jpg "/>

below to switch to under the/etc/httpd/conf.d/ directory, edit two Web sites based on different host names, depending on the configuration process can be seen http://zhang2015.blog.51cto.com/ 9735109/1670759.

650) this.width=650; "style=" Float:none; "title=" Picture 10.png "src=" http://s3.51cto.com/wyfs02/M02/6F/57/ Wkiol1wz7guishyyaask4l-9apy172.jpg "alt=" Wkiol1wz7guishyyaask4l-9apy172.jpg "/>

below you can use the client's browser, enter the domain name for access testing. The next thing I do is to do a URL domain on the ASA firewall to filter out the ACCP site.

650) this.width=650; "style=" Float:none; "title=" Picture 11.png "src=" http://s3.51cto.com/wyfs02/M02/6F/59/ Wkiom1wz6p-bsdvaaaf9um7nag0558.jpg "alt=" Wkiom1wz6p-bsdvaaaf9um7nag0558.jpg "/>

here's the highlight of the day ... URL filtering, create a class-map class map , identify the traffic flow, the following diagram.

Access-list AclFile Extended Permit TCP 192.168.100.0 255.255.255.0 any EQ// define ACL access Control List AclFile , pay attention to the network segment, do not copy

Class-map aclclass// Building class map aclclass

Match access-list aclfile// matching access control list

Determines the (domain name) keyword that is included in the URL before the regular expression is defined

Regex url "\.accp\.com"//* pay attention to the slash don't write the reverse *//

The class-map Urlclassis establishedand the matching regular expression is called.

Class-map type regex match-any Urlclass

Match Regex URL

Establish a class map to check traffic, and check the IP packet header for http traffic.

Class-map type Inspect HTTP Httpclass

The match request header host Regex class urlclass// calls the previously configured urlclass//, inside the green box, all just the name.

650) this.width=650; "style=" Float:none; "title=" Picture 12.png "src=" http://s3.51cto.com/wyfs02/M00/6F/57/ Wkiol1wz7gvg8gdmaalwbivcsra236.jpg "alt=" Wkiol1wz7gvg8gdmaalwbivcsra236.jpg "/>

Create a policy-map policy map, associate class-map, either allow this link or discard it. The policy is usually applied on the inside(inbound) interface, where only one policy map can be applied to an interface.

Policy-map type Inspect HTTP httppolicy// Establish policy map

Class Httpclass// call already done to check the http headers

Drop-connection Log// discard and record logs

Policy-map Insidepolicy// operate the Access control list and define the appropriate policy

Class Aclclass// Call access Control List

Inspect HTTP httppolicy// Check the defined policy map //

Service-policy Insidepolicy interface Inside// application on inside port //

650) this.width=650; "style=" Float:none; "title=" Picture 13.png "src=" http://s3.51cto.com/wyfs02/M00/6F/57/ Wkiol1wz7gubkws2aah6conywua624.jpg "alt=" Wkiol1wz7gubkws2aah6conywua624.jpg "/>

Again, it's a good idea to refresh the cache first.

650) this.width=650; "style=" Float:none; "title=" Picture 14.png "src=" Http://s3.51cto.com/wyfs02/M00/6F/59/wKiom1WZ6p_ Zk6djaaevity0j9g105.jpg "alt=" Wkiom1wz6p_zk6djaaevity0j9g105.jpg "/>

when you visit again, The benet site is still accessible, while the ACCP site is not able to access it.

650) this.width=650; "style=" Float:none; "title=" Picture 15.png "src=" http://s3.51cto.com/wyfs02/M01/6F/57/ Wkiol1wz7gyypdf6aahr2zl3sfc559.jpg "alt=" Wkiol1wz7gyypdf6aahr2zl3sfc559.jpg "/>

Experimental summary: For URL filtering in the host's hosts file can also be defined directly, but that to the internal client one set, the workload is very large, and easy to be tampered with. So It is convenient and secure to do so on the ASA firewall.

in the ASA , the URL of the filter statement, the definition of the type, the name of the type must not mess up, chaos will be finished. I hope you will be more careful and check.

OK! Experiment Done!

This article is from the "Blue Bird Technology Group @ wei" blog, please be sure to keep this source http://zhang2015.blog.51cto.com/9735109/1671230

URL address filtering based on ASA firewall