Thanks for the clarification Tyson - I've been using the code I posted for a while now and always just assumed it was matching the entire URL (although I only specified in the code to match the URI and not domain). That would explain why it still works for me J, but may not work for others. You learn something new every day I guess J.
Thanks again! Aaron T. Rohyans Senior Network Engineer CCIE #21945, CCSP, CCNA, CQS-Firewall, CQS-IPS, CQS-VPN, ISSP, CISP, JNCIA-ER DPSciences Corporation 7400 N. Shadeland Ave., Suite 245 Indianapolis, IN 46250 Office: (317) 348-0099 Fax: (317) 849-7134 arohy...@dpsciences.com http://www.dpsciences.com/ From: Tyson Scott [mailto:tsc...@ipexpert.com] Sent: Friday, September 25, 2009 11:14 AM To: Rohyans, Aaron; 'Simon Baumann'; ccie_security@onlinestudylist.com Subject: RE: [OSL | CCIE_Security] ASA url filter. Aaron/Simon, Actually the website is not the URI. URI is content from the website. So www.cisco.com would be the hostname/domain and /cisco/web/psa/default.html would be the URI for the product documentation webpage. This was a discussion on groupstudy earlier this week so I am giving an example that was provided on there. regex domainlist1 "\.yahoo\.com" regex domainlist2 "\.yell\.com" regex domainlist3 "\.youtube\.com" regex domainlist4 "\.facebook\.com" ! class-map type regex match-any DomainLogList match regex domainlist4 class-map type regex match-any DomainBlockList match regex domainlist1 match regex domainlist2 match regex domainlist3 ! class-map type inspect http match-all BlockDomainsClass match request header host regex class DomainBlockList class-map type inspect http match-all LogDomainsClass match request header host regex class DomainLogList ! policy-map type inspect http http_inspection_policy parameters class BlockDomainsClass reset log class LogDomainsClass log policy-map global_policy class inspection_default inspect http http_inspection_policy Another example showing the difference between the two. The following is a post from Piotr Matusiak. The first example was from Darren Johnson Simply speaking both commands match different parts of HTTP request message. Typical HTTP message consists of: Request line, like GET /some/resource/on/the/server.txt Headers, there is a mandatory field (as per HTTP 1.1) of Host, like www.cisco.com Optional message body GET message points to specific resource on the server which is usually represents by URI. If you want to match text included in the request line, use "match request uri" command, if you want to match host, use "match request header host". In the light of lab exam, this is a matter of the question/task. If for example Cisco wants you to block "www.cisco.com/univercd/home/home.htm" you should use both commands in one class-map like: regex regex-domain "www\.cisco\.com" regex regex-uri "/univercd/home/home\.htm" ! class-map type regex match-all CM_URI match regex regex-uri class-map type regex match-all CM_Domain match regex regex-domain ! class-map type inspect http match-all BlockDomain match request header host regex class CM_Domain class-map type inspect http match-all BlockURI match request uri regex class CM_URI This is probably the most beneficial post on Security Groupstudy in a while so I hope this helps you guys too. Regards, Tyson Scott - CCIE #13513 R&S and Security Technical Instructor - IPexpert, Inc. Telephone: +1.810.326.1444 Cell: +1.248.504.7309 Fax: +1.810.454.0130 Mailto: tsc...@ipexpert.com Join our free online support and peer group communities: http://www.IPexpert.com/communities <http://www.IPexpert.com/communities> IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On Demand and Audio Certification Training Tools for the Cisco CCIE R&S Lab, CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE Storage Lab Certifications. From: ccie_security-boun...@onlinestudylist.com [mailto:ccie_security-boun...@onlinestudylist.com] On Behalf Of Rohyans, Aaron Sent: Friday, September 25, 2009 10:26 AM To: Simon Baumann; ccie_security@onlinestudylist.com Subject: Re: [OSL | CCIE_Security] ASA url filter. Sorry - gave you the wrong syntax... below is the correct version: regex REGEX01 "[Cc][Ii][Ss][Cc][Oo]\.[Cc][Oo][Mm]" class-map type regex match-any HTTP_URL_FILTER_CMAP match regex REGEX01 class-map type inspect http match-any HTTP_INSPECT_CMAP match request uri regex class HTTP_URL_FILTER_CMAP policy-map type inspect http HTTP_INSPECTION_PMAP class HTTP_INSPECT_CMAP drop-connection log policy-map global_policy class inspection-default no inspect http inspect http HTTP_INSPECTION_PMAP Sorry about that! Hope this helps! Aaron T. Rohyans Senior Network Engineer CCIE #21945, CCSP, CCNA, CQS-Firewall, CQS-IPS, CQS-VPN, ISSP, CISP, JNCIA-ER DPSciences Corporation 7400 N. Shadeland Ave., Suite 245 Indianapolis, IN 46250 Office: (317) 348-0099 Fax: (317) 849-7134 arohy...@dpsciences.com http://www.dpsciences.com/ From: ccie_security-boun...@onlinestudylist.com [mailto:ccie_security-boun...@onlinestudylist.com] On Behalf Of Rohyans, Aaron Sent: Friday, September 25, 2009 9:47 AM To: Simon Baumann; ccie_security@onlinestudylist.com Subject: Re: [OSL | CCIE_Security] ASA url filter. regex REGEX01 "[Cc][Ii][Ss][Cc][Oo]\.[Cc][Oo][Mm]" class-map type regex match-any HTTP_URL_FILTER_CMAP match regex REGEX01 policy-map type inspect HTTP_INSPECTION_CMAP class HTTP_URL_FILTER_CMAP drop-connection log policy-map global_policy class inspection-default no inspect http inspect http HTTP_INSPECTION_CMAP Hope this helps! Aaron T. Rohyans Senior Network Engineer CCIE #21945, CCSP, CCNA, CQS-Firewall, CQS-IPS, CQS-VPN, ISSP, CISP, JNCIA-ER DPSciences Corporation 7400 N. Shadeland Ave., Suite 245 Indianapolis, IN 46250 Office: (317) 348-0099 Fax: (317) 849-7134 arohy...@dpsciences.com http://www.dpsciences.com/ From: ccie_security-boun...@onlinestudylist.com [mailto:ccie_security-boun...@onlinestudylist.com] On Behalf Of Simon Baumann Sent: Friday, September 25, 2009 9:39 AM To: ccie_security@onlinestudylist.com Subject: [OSL | CCIE_Security] ASA url filter. Hi, To my knowledge we got two posibilities to filter outgoing http requests on an ASA to filter spcific urls: 1. using external url filter 2. using an http class map with regex, Cisco example: http://tinyurl.com/yaly2fe Could someone provide an example how to filter an spcific url with an regex statement? I tried the Cisco example from the documentation but ran in several issues. TIA. Regards Simon
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
