• First off you need to decide what you want to allow by calling them out in a regex statement:
!
regex urlreg1 "cisco.com"
regex urlreg2 "yahoo.com"
• Next we will group these statements under a class-map and call it whitelist:
!
class-map type regex match-any whitelist
match regex urlreg1
match regex urlreg2
• The class-map "goodclass" just assembles the URL's that are listed in the "whitelist" and says match this.
!
class-map type inspect http match-all goodclass
match request header host regex class whitelist
• Now we need to create a class-map that blocks everything not in the allowed list. This is done by creating the "badclass" and stating "match not" for the whitelist.
!
class-map type inspect http match-all badclass
match not request header host regex class whitelist
• Here we are taking the "badclass" and "goodclass" and putting them into a policy-map that has actions. In this case the action for the "badclass" is to drop it
!
policy-map type inspect http regex-policy
parameters
class goodclass
class badclass
drop-connection
• The policy-map "global_policy" might already exist on the ASA (not sure since I have hacked mine to hell) but in any case it calls out the "class inspection_default" that has to exist on the box for the statement under the "global_policy" to take. If you are missing it here it is:
# class-map inspection_default
# match default-inspection-traffic
!
policy-map global_policy
class inspection_default
inspect http regex-policy
• This next statement applies the "global_policy" to the inside interface. Once applied this will allow users on the trusted LAN to access two sites - cisco.com and yahoo.com and thats it.
!
service-policy global_policy interface inside
Have fun with this one. Maybe call out some social networking sites in the regex statement and change the actions in the policy-map "regex-policy" to log the hits and see how often your users are accessing those sites.
Here is a graphical Illustration of what we just made:
No comments:
Post a Comment