Shulou(Shulou.com)06/01 Report--

Experiment

Experimental topology diagram:

Experimental environment:

Build a WEB website and a DNS service on the server2008 server, and create two websites with domain names benet.com and accp.com respectively.

Experimental requirements:

First of all, the client can visit two websites on the server, and after success, do URL filtering on the firewall so that the client can not access the accp.com website.

The steps of the experiment:

First configure each zone name and IP address on the ASA firewall:

Ciscoasa (config) # int e0Universe 0

Ciscoasa (config-if) # nameif inside

Ciscoasa (config-if) # ip add 192.168.10.1 255.255.255.0

Ciscoasa (config-if) # no shut

Ciscoasa (config-if) # int e0bin1

Ciscoasa (config-if) # nameif outside

Ciscoasa (config-if) # ip add 13.0.0.1 255.255.255.0

Ciscoasa (config-if) # no shut

Create two websites on the server, specifying the location and domain name of the site:

To create an accp.com website:

To create a benet.com website:

Specify the DNS host A record:

Test client visitors to two websites:

Test access succeeded:

Next, do URL filtering on the firewall to make the client unable to access the accp.com website.

Configuration on ASA:

URL filtering requires the following three steps

Url filtering

First, create a class-map (class map) to identify transport traffic.

Ciscoasa (config) # access-list aclfile permit tcp 192.168.10.0 255.255.255.0 an$ / / defines the ACL access control list aclfile.

Ciscoasa (config) # class-map aclclass / / create a class mapping aclclass.

Ciscoasa (config-cmap) # match access-list aclfile / / matches the access control list.

Ciscoasa (config-cmap) # regex url "\ .accp\ .com" / / defines regular expressions to filter websites that are not allowed to visit.

Ciscoasa (config) # class-map type regex match-any urlclass / / create a class mapping urlclass, and the keyword match-any means to match any one.

The ciscoasa (config-cmap) # match regex url / / call matches the regular expression.

Ciscoasa (config-cmap) # ex

Ciscoasa (config) # class-map type inspect http httpclass / / establish a class map for checking traffic

Ciscoasa (config-cmap) # match request header host regex class urlclass / / calls the previously configured urlclass.

Second, create policy-map (policy mapping) and associate class-map

Ciscoasa (config) # policy-map type inspect http httppolicy / / establish a policy map.

The ciscoasa (config-pmap) # class httpclass / / call has been done to check the class mapping of the http header.

Ciscoasa (config-pmap-c) # drop-connection log / / discard and log.

Ciscoasa (config-pmap-c) # policy-map insidepolicy / / An operates on the access control list and defines the corresponding policy.

Ciscoasa (config-pmap) # class aclclass / / invokes the class map of the access control list.

Ciscoasa (config-pmap-c) # inspect http httppolicy / / check the defined policy map.

Third, apply class-map to the interface.

Ciscoasa (config) # service-policy insidepolicy interface inside / / is applied on the port.

The test uses the client to access the accp.com website:

The result shows that it is inaccessible:

The experiment is completed

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.