[OSL | CCIE_Security] ASA url filtering

Tue, 01 Dec 2009 20:30:46 -0800 

ASA configuration 1

url-server (inside) vendor websense host 192.168.135.100 timeout 30 protocol
TCP version 1 connections 5
filter java 80 192.168.135.101 255.255.255.255 0.0.0.0 0.0.0.0
filter activex 80 192.168.135.101 255.255.255.255 0.0.0.0 0.0.0.0
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
filter url http 192.168.135.101 255.255.255.255 0.0.0.0 0.0.0.0 longurl-deny


The hosts 192.168.135.101 was able to access this URL...
http://www.thelongestlistofthelongeststuffatthelongestdomainnameatlonglast.com/wearejustdoingthistobestupidnowsincethiscangoonforeverandeverandeverbutitstilllookskindaneatinthebrowsereventhoughitsabigwasteoftimeandenergyandhasnorealpointbutwehadtodoitanyways.html

I also tried this configuration:
ASA configuration 2
url-server (inside) vendor websense host 192.168.135.100 timeout 30 protocol
TCP version 1 connections 5
filter url except 192.168.135.101 255.255.255.255 174.120.170.57
255.255.255.255
filter java 80 192.168.135.101 255.255.255.255 0.0.0.0 0.0.0.0
filter activex 80 192.168.135.101 255.255.255.255 0.0.0.0 0.0.0.0
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
filter url http 192.168.135.101 255.255.255.255 0.0.0.0 0.0.0.0 longurl-deny

I do not actually have a websense server.  It appears the ASA processes the
filter commands in a linear fashion meaning the "allow" line in
configuration 1 and the "expect" line in configuration two permit the
traffic.  These commands are ordered by the ASA, I cannot adjust the order
manually.

These log messages seem to confirm URL filtering is working:
Dec  1 23:23:35 asa %ASA-4-507003: tcp flow from
inside:192.168.135.101/2349to outside:
174.120.170.57/80 terminated by inspection engine, reason - inspector drop
reset.
Dec  1 23:23:35 asa %ASA-6-302014: Teardown TCP connection 128378 for
outside:174.120.170.57/80 to inside:192.168.135.101/2349 duration 0:00:00
bytes 0 Flow closed by inspection

Anyone confirm, deny, or comment on my conclusions?

Thanks,
Roger

_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Reply via email to