But still I can browse to facebook. The exact url is copied from my browser:
Home-ASA# test regex "http://www.facebook.com/"; ".*\.facebook\.com" INFO: Regular expression match succeeded. Home-ASA# sh access-list acl-MAKE-JIMMY-WORK access-list acl-MAKE-JIMMY-WORK; 1 elements; name hash: 0x947ef6ed access-list acl-MAKE-JIMMY-WORK line 1 extended permit tcp any any eq www time-range STUDY-TIME (hitcnt=23) 0xbe60f654 Home-ASA# Home-ASA# sh time-range time-range entry: STUDY-TIME (active) periodic weekdays 7:00 to 7:59 periodic weekdays 8:00 to 10:00 used in: IP ACL entry Home-ASA# sh service-policy inspect http Global policy: Service-policy: global_policy Class-map: inspection_default Inspect: http test_pmap, packet 83, drop 0, reset-drop 0 protocol violations log, packet 0 Interface inside: Service-policy: policy-inside Class-map: class-NOSURF Inspect: http policy-INSPECT-HTTP, packet 1608, drop 0, reset-drop 0 protocol violations packet 0 class class-FIND-BANNED-URLS reset log, packet 0 Home-ASA# Just to verify that it had nothing to do with my time-range I removed that option in the acl. Now its just "permit tcp any any eq 80" but the "problem" remains. Br Jimmy 2010/2/8 Brandon Carroll <[email protected]> > Jimmy, > > I think its your regular expression. Look at what I did on the ASA: > > First I tested yours: > > ASA1# test regex www.facebook.com "*.facebook\.com.*" > INFO: Regular expression match failed. > > > Then mine: > > ASA1# test regex www.facebook.com ".+\.facebook\.com*" > INFO: Regular expression match succeeded. > > Then a few others to test the path to other apps: > > ASA1# test regex www.facebook.com/reader ".+\.facebook\.com*" > INFO: Regular expression match succeeded. > > ASA1# test regex www.facebook.com/farmville_app ".+\.facebook\.com*" > INFO: Regular expression match succeeded. > > Finally I tested agains another site: > > ASA1# test regex www.cisco.com/ ".+\.facebook\.com*" > INFO: Regular expression match failed. > > and > > ASA1# test regex www.google.com/ ".+\.facebook\.com*" > INFO: Regular expression match failed. > > give that a try and see where you get. > > Regards, > > Brandon Carroll - CCIE #23837 > Senior Technical Instructor - IPexpert > Mailto: [email protected] > Telephone: +1.810.326.1444 > Live Assistance, Please visit: www.ipexpert.com/chat > eFax: +1.810.454.0130 > > IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA (R&S, > Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, Security & Service > Provider) Certification Training with locations throughout the United > States, Europe and Australia. Be sure to check out our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com. > > > > On Sun, Feb 7, 2010 at 10:50 PM, Jimmy Larsson <[email protected]> wrote: > >> Hello >> >> Can anyone see why I am still able to surf to facebook from inside the ASA >> with this config? >> >> time-range STUDY-TIME >> absolute start 07:05 08 February 2010 end 07:59 08 February 2010 >> ! >> access-list acl-MAKE-JIMMY-WORK extended permit tcp any any eq www >> time-range STUDY-TIME >> >> class-map class-NOSURF >> match access-list acl-MAKE-JIMMY-WORK >> >> >> regex gmail ".*mail\.google\.com.*" >> regex googlereader "*.google\.com\/reader.*" >> regex twitter "*.twitter\.com.*" >> regex facebook "*.facebook\.com.*" >> >> >> class-map type regex match-any class-map-JIMMYS-BANNED-SITES >> match regex twitter >> match regex facebook >> match regex googlereader >> match regex gmail >> >> class-map type inspect http match-all class-FIND-BANNED-URLS >> match request uri regex class class-map-JIMMYS-BANNED-SITES >> >> policy-map type inspect http policy-INSPECT-HTTP >> parameters >> class class-FIND-BANNED-URLS >> reset log >> >> policy-map policy-inside >> # Other classes >> class class-NOSURF >> inspect http policy-INSPECT-HTTP >> >> Time-range is active: >> Home-ASA(config-pmap)# sh time-range >> >> time-range entry: STUDY-TIME (active) >> periodic weekdays 7:00 to 7:59 >> used in: IP ACL entry >> >> my acl gets hitcounts: >> Home-ASA(config-pmap)# sh access-list acl-MAKE-JIMMY-WORK >> access-list acl-MAKE-JIMMY-WORK; 1 elements; name hash: 0x947ef6ed >> access-list acl-MAKE-JIMMY-WORK line 1 extended permit tcp any any eq www >> time-range STUDY-TIME (hitcnt=1) 0xbe60f654 >> >> My service-policy looks good: >> >> Home-ASA(config-pmap)# sh service-policy inspect http >> >> Global policy: >> Service-policy: global_policy >> Class-map: inspection_default >> Inspect: http test_pmap, packet 6895252, drop 68, reset-drop 0 >> protocol violations >> log, packet 68 >> >> Interface inside: >> Service-policy: policy-inside >> Class-map: class-NOSURF >> Inspect: http policy-INSPECT-HTTP, packet 1495, drop 0, reset-drop 0 >> protocol violations >> packet 0 >> class class-FIND-BANNED-URLS >> reset log, packet 0 >> Home-ASA(config-pmap)# >> >> And the service-policy looks good: >> >> Home-ASA(config-pmap)# sh service-policy inspect http >> >> Global policy: >> Service-policy: global_policy >> Class-map: inspection_default >> Inspect: http test_pmap, packet 6, drop 0, reset-drop 0 >> protocol violations >> log, packet 0 >> >> Interface inside: >> Service-policy: policy-inside >> Class-map: class-NOSURF >> Inspect: http policy-INSPECT-HTTP, packet 327, drop 0, reset-drop 0 >> protocol violations >> packet 0 >> class class-FIND-BANNED-URLS >> reset log, packet 0 >> Home-ASA(config-pmap)# >> >> Anyone? >> >> -- >> ------- >> Jimmy Larsson >> Ryavagen 173 >> s-26030 Vallakra >> Sweden >> http://blogg.kvistofta.nu >> ------- >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> > -- ------- Jimmy Larsson Ryavagen 173 s-26030 Vallakra Sweden http://blogg.kvistofta.nu -------
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
