ASA URL filtering with MPF

Problem: “I want to block facebook.com and myspace.com but I don’t have a Websense server.”

regex domlist1 "facebook.com"
regex domlist2 "myspace.com"
!
class-map type regex match-any DomainBlockList
  match regex domlist1
  match regex domlist2
!
class-map type inspect http match-all BlockDomainsClass
  match request header host regex class DomainBlockList
!
policy-map type inspect http http_inspection_policy
  class BlockDomainsClass
  reset log
!
policy-map global_policy
  class inspection_default
  inspect http http_inspection_policy
!
service-policy global_policy global
wr mem

Posted in ASA, CCIE, CCIE Security.

Tagged with ASA, CCIE, filtering, MPF.

1 comment

By blanders – October 21, 2009

One Response

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.

Kirbini says

Better have a lot of spare CPU or low HTTP traffic levels when implementing HTTP inspect with regex or you could wind up in quite the pickle.

October 27, 2009, 10:38 am

« BGP Through an ASA with Authentication BGP Route Manipulation »

Quirks of the Cisco 6500 Sup720 Module Ports
Some things to look out for when working with the Sup720-10GE on the Cat6k.
A List of FREE VMware vSphere Tools
Great collection of 3rd party (and some official) tools for VMware that don't cost a cent.
Make Sure Your Rails Application is Actually Caching
Quick tip to ensure that Rails is actually serving from cache and not just pretending to do so.
Enabling VMotion on internal vswitch
How to make VMotion work when VMs are connected to a vSwitch with no physical interfaces.
Release Notes for the Cisco ASA 5500 Series, 8.3(x)
Update for the ASA appliances, featuring Anyconnect updates for 64-bit operating systems and a radically new NAT syntax.
Cisco Catalyst 6500 Architecture White Paper
The official source for Cat6k architecture and design questions.
Notes on Cisco Catalyst 6500 architecture
High-level overview of the various backplane and fabric options in the Cat6k.
Extracting a 3DES key from an IBM 4758
Software-based attack for stealing the crypto keys from a tamper-resistant IBM crypto processor.
PowerCLI: Changing a VM IP Address with Invoke-VMScript
How to update the IP address of a Windows VM programatically using the PowerShell-based PowerCLI.
Auto-configure Linux vmware-tools at Boot time
Bash initscript to ensure your vmware tools get reconfigured when the kernel is upgraded. Could use a tweak to not run on a non-VM host.
Upgrade SQL Express to Standard or Enterprise
This will come in handy if you start out with vCenter running on the included SQL Express server and later outgrow it.
VMware Virtual Center Attributes – It’s all about the details
Covers a lesser-known but VERY useful feature in vCenter for adding metadata to virtual machines.
VMFS or NFS
Performance and other considerations when choosing a storage architecture for vSphere. Also touches on FC vs. iSCSI/NFS.
Designing Secure Multi-Tenancy into Virtualized Data Centers
Cisco Validated Design for the just-announced VMware/NetApp reference architecture.
Cisco Internal WAAS Implementation
High-level overview of Cisco IT's WAAS rollout to 200+ remote offices. The resulting CIFS optimization lead them to massivly consolidate file services to regional hubs.

Proudly powered by WordPress and Carrington.

ASA URL filtering with MPF

One Response

About Packetslave Industries

Archives

Meta

Delicious Bookmarks