Shulou(Shulou.com)06/01 Report--

Now, there are many software to manage online behavior, so ASA, as a stateful firewall, can also manage online behavior. We can use the characteristics of ASA firewall iOS to implement URL filtering to control the domain name of the website visited, so as to achieve some management purpose.

The implementation of URL filtering is generally divided into the following three steps:

1. Create a class-map (class map) to identify the transport traffic.

2. Create a policy-map (policy map) and associate the class-map.

3. Apply policy-map to the interface.

Configuration example:

Using the following simple network topology diagram, edit the hosts file on the private network host and add the following record (if the production environment, DNS server, etc., are complete, you can omit this step):

172.16.1.1: www.kkgame.com .

172.16.1.1: www.163.com .

Implement the host in the intranet segment 192.168.1.0 to 24 to prohibit access to the website www.kkgame.com but allow access to other websites (such as www.163.com).

The configuration steps are as follows (basic configurations such as interfaces are omitted):

(1) create a class-map to identify the transport traffic:

Ciscoasa (config) # access-list tcp_filter1 permit tcp 192.168.1.0 255.255.255.0 any eq wwwciscoasa (config) # class-map tcp_filter_class1ciscoasa (config-cmap) # match access-list tcp_filter1 # defines allowed traffic in class-map. Ciscoasa (config-cmap) # exitciscoasa (config) # regex url1 "\ .kkgame\ .com" # defines a regular expression named urll, indicating that the URL extension is ".kkgame.com" ciscoasa (config) # class-map type regex match-any url_class1 # to create a clas-map named url_class1 and a type of regex. The keyword match-any means to match any one. Ciscoasa (config-cmap) # match regex url1 ciscoasa (config) # class-map type inspect http http_url_class1 # creates a class-map named http-url-class1 with a type of inspect http (check http traffic) ciscoasa (config-cmap) # match request header host regex class url_class1 # that matches the URL extension ".kkgame.com" in the host field in the http request header, and url_class1 means to call class-map with the name url_class1. Ciscoasa (config-cmap) # exit

(2) create policy-map and associate class-map.

Ciscoasa (config) # policy-map type inspect http http_url_policy1# creates a policy-map named http_url_policy1 and a type of inspect http (check http traffic) ciscoasa (config-pmap) # class http_url_class1 # calls the previously created class-mapciscoasa (config-pmap-c) # drop-connection log # drop packet and closes the connection and sends the system log. Ciscoasa (config-pmap-c) # exitciscoasa (config-pmap) # exitciscoasa (config) # policy-map inside_http_url_policy # creates a policy-map named inside_http_url_policy, which will be applied to the interface. Ciscoasa (config-pmap) # class tcp_filter_class1 # call the previously created class-mapciscoasa (config-pmap-c) # inspect http http_url_policy1 # check http traffic ciscoasa (config-pmap-c) # exitciscoasa (config-pmap) # exit

(3) apply policy-map to the interface:

Ciscoasa (config) # service-policy inside_http_url_policy interface inside

At this point, the requirements have been implemented, and it should be noted that only one policy-map can be applied to an interface.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.