MPF Task: Solution!

by Jimmy Larsson on February 8, 2010

Solution:

The solution to this is the fact that this doesn´t work with the regexps:


class-map type inspect http match-all class-FIND-BANNED-URLS
match request uri regex class class-map-JIMMYS-BANNED-SITES
!

uri is the part of the url after the hostname, the directory-path and filename on the web-server. By matching uri you can in the “http://www.facebook.com/jimmy.larsson” match on substrings within the “/jimmy.larsson”-subset but not in “http://www.facebook.com”-part.

By instead match on the request header host string I get the desired result:


class-map type inspect http match-all class-FIND-BANNED-URLS
match request header host regex class class-map-JIMMYS-BANNED-SITES

Verification:

When trying to access facebook (after making sure that the clock is not in my 5 min per hour grace period ;) ) I get this in the log:


%ASA-5-415008: HTTP - matched Class 29: class-FIND-BANNED-URLS in policy-map policy-INSPECT-HTTP, header matched - Resetting connection from inside:192.168.1.50/51194 to outside: 69.63.181.15/80

Caveat:

Since I match on host-name I cannot do stuff like this:


regex googlereader ".*google\.com\/reader*"

This will work.:


regex googlereader ".*google\.com*"

However it will prevent me from using any google-service during my studies. (Which might be a good thing. :) ) Anyway, how do I prevent access to google reader at google.com/reader without killing my google-searching-abilities? Like this:


regex reader ".*reader\/.*"
regex google ".*\.google\..*"
!
class-map type inspect http match-all GOOGLEREADER
match request header host regex google
match request uri regex reader
!
policy-map type inspect http policy-INSPECT-HTTP
parameters
class class-FIND-BANNED-URLS
reset log
class GOOGLEREADER
reset log

Mission accomplished!

{ 0 comments }

Related posts:

  1. MPF Task: prevent surfing to those sites at these times.
  2. CCIE Security – Cisco ASA Modular Policy Framework Example
  3. Asymmetric routing in ASA – TCP state bypass
  4. Cisco IOS Zone Based Policy Firewall

MPF Task: prevent surfing to those sites at these times.

For todays lab-session I gave myself a small task: Configure the internet-ASA to prevent myself from surfing to specific time-consuming websites except from 5 minutes every hour.
The task sounds easy an as soon as I figured out to do MPF with a time-based acl for specifying inspect-traffic it just took me a few minutes to [...]

<--- More --->

Cisco IOS Zone Based Policy Firewall

The last days I have been testing Zone Based Policy Firewall in Cisco IOS. It´s a feature much like CBAC. It´s using the same basics of inspection-configuration. The major difference between CBAC and ZBFW is that while the first is built upon inspection at specific interfaces, the latter defines zones of one or many interfaces [...]

<--- More --->

PAM-table – a sheat-sheet for well known port numbers

The ip port-map router-command gives you an extensive list of protocols and their respective port-numbers. This can become handy at the CCIE lab where you dont have access to google

<--- More --->

Asymmetric routing in ASA – TCP state bypass

Today I continued my work to fully understand MPF (Modular Policy Framework) and found a new cool feature in ASA 8.2: TCP State Bypass. By bypassing TCP state machine for certain traffic you can get around problems with asymettricrouting. In my home lab I built this scenario:

On my inside network I have this client host [...]

<--- More --->

Read the entire lab first and make a good diagram!

The main challenge and discoveries during the last days of my “labbing” had nothing to do with technologies, TLA:s or ETLA:s. It has all been about finding out how to attack the lab. How to work focused and be well prepared before beginning to configuring boxes.
I have read on several different places that everyone recommends [...]

<--- More --->

IOS Archive feature

What changes have been done since last “wr mem”? Or more like; what differences are there between running-config and startup-config?
Use the archive-feature!

r2#sh arch conf diff nvram:startup-config system:running-config
Contextual config diffs:
line vty 0 4
+transport input all
+transport output all
line vty 0 4
-transport input telnet
-transport output all

Wanna make periodic backups of the router config to local flash?
Use the archive-feature!

r1#sh [...]

<--- More --->

IOS overlapping NAT

There are not many situations where the ordering of lines in the router configuration really matters (except from inside acl:s or different kind of “maps”). But when dealing with address translations it´s really important because they are processed in the same order as they were added in the running-config.
Lets say that I want to hide [...]

<--- More --->

CBAC – Make the Cisco router stateful

CBAC is a simple way to turn a Cisco-router from being a stupid packet-filter into an stateful firewall with protocol inspection.
The following example explains how to configure CBAC to allow return-traffic back when an inside web-client http to an external web-server.
Topology:

First I have my inside acl specifying what outbound traffic to allow (http and dns).

ip [...]

<--- More --->

Going English…

This blog is transforming from a swedish all-purpose blog into a english-speaking tech-blog. The reason for that is my preparations for the CCIE Security certification lab. All old swedish posts are still here, just click on the swedish/English categories-link above to filter.

<--- More --->

← Previous Entries