[OSL | CCIE_Security] MPF - whats wrong in this?

Sun, 07 Feb 2010 22:50:46 -0800 

Hello

Can anyone see why I am still able to surf to facebook from inside the ASA
with this config?

time-range STUDY-TIME
 absolute start 07:05 08 February 2010 end 07:59 08 February 2010
!
access-list acl-MAKE-JIMMY-WORK extended permit tcp any any eq www
time-range STUDY-TIME

class-map class-NOSURF
 match access-list acl-MAKE-JIMMY-WORK


regex gmail ".*mail\.google\.com.*"
regex googlereader "*.google\.com\/reader.*"
regex twitter "*.twitter\.com.*"
regex facebook "*.facebook\.com.*"


class-map type regex match-any class-map-JIMMYS-BANNED-SITES
 match regex twitter
 match regex facebook
 match regex googlereader
 match regex gmail

class-map type inspect http match-all class-FIND-BANNED-URLS
 match request uri regex class class-map-JIMMYS-BANNED-SITES

policy-map type inspect http policy-INSPECT-HTTP
 parameters
 class class-FIND-BANNED-URLS
  reset log

policy-map policy-inside
# Other classes
 class class-NOSURF
  inspect http policy-INSPECT-HTTP

Time-range is active:
Home-ASA(config-pmap)# sh time-range

time-range entry: STUDY-TIME (active)
   periodic weekdays 7:00 to 7:59
   used in: IP ACL entry

my acl gets hitcounts:
Home-ASA(config-pmap)# sh access-list acl-MAKE-JIMMY-WORK
access-list acl-MAKE-JIMMY-WORK; 1 elements; name hash: 0x947ef6ed
access-list acl-MAKE-JIMMY-WORK line 1 extended permit tcp any any eq www
time-range STUDY-TIME (hitcnt=1) 0xbe60f654

My service-policy looks good:

Home-ASA(config-pmap)# sh service-policy inspect http

Global policy:
  Service-policy: global_policy
    Class-map: inspection_default
      Inspect: http test_pmap, packet 6895252, drop 68, reset-drop 0
        protocol violations
          log, packet 68

Interface inside:
  Service-policy: policy-inside
    Class-map: class-NOSURF
      Inspect: http policy-INSPECT-HTTP, packet 1495, drop 0, reset-drop 0
        protocol violations
          packet 0
        class class-FIND-BANNED-URLS
          reset log, packet 0
Home-ASA(config-pmap)#

And the service-policy looks good:

Home-ASA(config-pmap)# sh service-policy inspect http

Global policy:
  Service-policy: global_policy
    Class-map: inspection_default
      Inspect: http test_pmap, packet 6, drop 0, reset-drop 0
        protocol violations
          log, packet 0

Interface inside:
  Service-policy: policy-inside
    Class-map: class-NOSURF
      Inspect: http policy-INSPECT-HTTP, packet 327, drop 0, reset-drop 0
        protocol violations
          packet 0
        class class-FIND-BANNED-URLS
          reset log, packet 0
Home-ASA(config-pmap)#

Anyone?

-- 
-------
Jimmy Larsson
Ryavagen 173
s-26030 Vallakra
Sweden
http://blogg.kvistofta.nu
-------

_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Reply via email to