Within this tutorial will will look at 2 configuration examples in which we will use HTTP inspection within the Cisco ASA to allow access for certain hosts based on specific URL headers.
In addition to the commands below you will also need to grant the relevant access via your interface based ACL`s. This is because your HTTP traffic will first hit interface based ACL`s before reaching the ASA`s application inspection layer.
Your access-list will need to consist of a permit for http traffic from your host(s) through to any. An example would be :
In addition to the commands below you will also need to grant the relevant access via your interface based ACL`s. This is because your HTTP traffic will first hit interface based ACL`s before reaching the ASA`s application inspection layer.
Your access-list will need to consist of a permit for http traffic from your host(s) through to any. An example would be :
access-list acl-inside-in extended permit tcp any any eq www
EXAMPLE 1
This example will show the required syntax to allows access to yahoo.com for any host within the network 10.1.1.0 255.255.0.0. HTTP traffic for any other host is denied.In addition to the commands below you will also need to grant the relevant access via your interface based ACL`s. This is because your HTTP traffic will first hit interface based ACL`s before reaching the ASA`s application inspection layer.
Your access-list will need to consist of a permit for http traffic from your host(s) through to any. An example would be :
access-list acl-inside-in extended permit tcp any any eq www
Steps
1. Create regular expressionsregex urlallow1 "yahoo\.com"2. Define hosts that are either allowed access or not.
access-list acl-mpf-http1 extended permit tcp 10.1.1.0 255.255.0.0 any eq www3. Define match conditions - here we match any header that is not equal to the previous defined regular expressions (urlallow1).
access-list acl-mpf-http1 extended deny ip any any
class-map type inspect http match-all class-http14. Assign previous access-lists to class-map.
match not request header host regex urlallow1
class-map class-http-match15. Create policy map and assign the class map (class-http1). Against this class map an action is assigned.
match access-list acl-mpf-http1
policy-map type inspect http policy-http16. Under the global_policy map, assign the http inspection policy map against the match class map (class-http-match1) .
parameters
class class-http1
drop-connection log
policy-map global_policy7. Assign global_policy to all interfaces.
class class-http-match1
inspect http policy-http1
service-policy global_policy global
EXAMPLE 2
This example will show the required syntax to allows access to yahoo.com for any host apart from 192.168.1.100.In addition to the commands below you will also need to grant the relevant access via your interface based ACL`s. This is because your HTTP traffic will first hit interface based ACL`s before reaching the ASA`s application inspection layer.
Your access-list will need to consist of a permit for http traffic from your host(s) through to any. An example would be :
access-list acl-inside-in extended permit tcp any any eq www
Steps
1. Create regular expressionsregex urlallow1 "yahoo\.com"2. Define hosts that are either allowed access or not.
access-list acl-mpf-http1 extended deny tcp host 192.168.1.100 any eq www3. Define match conditions - here we match any header that is not equal to the previous defined regular expressions (urlallow1).
access-list acl-mpf-http1 extended permit ip any any
class-map type inspect http match-all class-http14. Assign previous access-lists to class-map.
match not request header host regex urlallow1
class-map class-http-match15. Create policy map and assign the class map (class-http1). Against this class map an action is assigned.
match access-list acl-mpf-http1
policy-map type inspect http policy-http16. Under the global_policy map, assign the http inspection policy map against the match class map (class-http-match1) .
parameters
class class-http1
drop-connection log
policy-map global_policy7. Assign global_policy to all interfaces.
class class-http-match1
inspect http policy-http1
service-policy global_policy global
No comments:
Post a Comment