Do you see anything in your logs when you browse to facebook?
Regards,
Brandon Carroll - CCIE #23837
Senior Technical Instructor - IPexpert
Mailto: [email protected]
Telephone: +1.810.326.1444
Live Assistance, Please visit: www.ipexpert.com/chat
eFax: +1.810.454.0130
::Message Sent from iPhone::
IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA
(R&S, Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice,
Security & Service Provider) Certification Training with locations
throughout the United States, Europe and Australia. Be sure to check
out our online communities at www.ipexpert.com/communities and our
public website at www.ipexpert.com.
On Feb 8, 2010, at 12:41 AM, Jimmy Larsson <[email protected]> wrote:
But still I can browse to facebook. The exact url is copied from my
browser:
Home-ASA# test regex "http://www.facebook.com/"; ".*\.facebook\.com"
INFO: Regular expression match succeeded.
Home-ASA# sh access-list acl-MAKE-JIMMY-WORK
access-list acl-MAKE-JIMMY-WORK; 1 elements; name hash: 0x947ef6ed
access-list acl-MAKE-JIMMY-WORK line 1 extended permit tcp any any
eq www time-range STUDY-TIME (hitcnt=23) 0xbe60f654
Home-ASA#
Home-ASA# sh time-range
time-range entry: STUDY-TIME (active)
periodic weekdays 7:00 to 7:59
periodic weekdays 8:00 to 10:00
used in: IP ACL entry
Home-ASA# sh service-policy inspect http
Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: http test_pmap, packet 83, drop 0, reset-drop 0
protocol violations
log, packet 0
Interface inside:
Service-policy: policy-inside
Class-map: class-NOSURF
Inspect: http policy-INSPECT-HTTP, packet 1608, drop 0, reset-
drop 0
protocol violations
packet 0
class class-FIND-BANNED-URLS
reset log, packet 0
Home-ASA#
Just to verify that it had nothing to do with my time-range I
removed that option in the acl. Now its just "permit tcp any any eq
80" but the "problem" remains.
Br Jimmy
2010/2/8 Brandon Carroll <[email protected]>
Jimmy,
I think its your regular expression. Look at what I did on the ASA:
First I tested yours:
ASA1# test regex www.facebook.com "*.facebook\.com.*"
INFO: Regular expression match failed.
Then mine:
ASA1# test regex www.facebook.com ".+\.facebook\.com*"
INFO: Regular expression match succeeded.
Then a few others to test the path to other apps:
ASA1# test regex www.facebook.com/reader ".+\.facebook\.com*"
INFO: Regular expression match succeeded.
ASA1# test regex www.facebook.com/farmville_app ".+\.facebook\.com*"
INFO: Regular expression match succeeded.
Finally I tested agains another site:
ASA1# test regex www.cisco.com/ ".+\.facebook\.com*"
INFO: Regular expression match failed.
and
ASA1# test regex www.google.com/ ".+\.facebook\.com*"
INFO: Regular expression match failed.
give that a try and see where you get.
Regards,
Brandon Carroll - CCIE #23837
Senior Technical Instructor - IPexpert
Mailto: [email protected]
Telephone: +1.810.326.1444
Live Assistance, Please visit: www.ipexpert.com/chat
eFax: +1.810.454.0130
IPexpert is a premier provider of Classroom and Self-Study Cisco
CCNA (R&S, Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice,
Security & Service Provider) Certification Training with locations
throughout the United States, Europe and Australia. Be sure to check
out our online communities at www.ipexpert.com/communities and our
public website at www.ipexpert.com.
On Sun, Feb 7, 2010 at 10:50 PM, Jimmy Larsson <[email protected]>
wrote:
Hello
Can anyone see why I am still able to surf to facebook from inside
the ASA with this config?
time-range STUDY-TIME
absolute start 07:05 08 February 2010 end 07:59 08 February 2010
!
access-list acl-MAKE-JIMMY-WORK extended permit tcp any any eq www
time-range STUDY-TIME
class-map class-NOSURF
match access-list acl-MAKE-JIMMY-WORK
regex gmail ".*mail\.google\.com.*"
regex googlereader "*.google\.com\/reader.*"
regex twitter "*.twitter\.com.*"
regex facebook "*.facebook\.com.*"
class-map type regex match-any class-map-JIMMYS-BANNED-SITES
match regex twitter
match regex facebook
match regex googlereader
match regex gmail
class-map type inspect http match-all class-FIND-BANNED-URLS
match request uri regex class class-map-JIMMYS-BANNED-SITES
policy-map type inspect http policy-INSPECT-HTTP
parameters
class class-FIND-BANNED-URLS
reset log
policy-map policy-inside
# Other classes
class class-NOSURF
inspect http policy-INSPECT-HTTP
Time-range is active:
Home-ASA(config-pmap)# sh time-range
time-range entry: STUDY-TIME (active)
periodic weekdays 7:00 to 7:59
used in: IP ACL entry
my acl gets hitcounts:
Home-ASA(config-pmap)# sh access-list acl-MAKE-JIMMY-WORK
access-list acl-MAKE-JIMMY-WORK; 1 elements; name hash: 0x947ef6ed
access-list acl-MAKE-JIMMY-WORK line 1 extended permit tcp any any
eq www time-range STUDY-TIME (hitcnt=1) 0xbe60f654
My service-policy looks good:
Home-ASA(config-pmap)# sh service-policy inspect http
Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: http test_pmap, packet 6895252, drop 68, reset-drop 0
protocol violations
log, packet 68
Interface inside:
Service-policy: policy-inside
Class-map: class-NOSURF
Inspect: http policy-INSPECT-HTTP, packet 1495, drop 0, reset-
drop 0
protocol violations
packet 0
class class-FIND-BANNED-URLS
reset log, packet 0
Home-ASA(config-pmap)#
And the service-policy looks good:
Home-ASA(config-pmap)# sh service-policy inspect http
Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: http test_pmap, packet 6, drop 0, reset-drop 0
protocol violations
log, packet 0
Interface inside:
Service-policy: policy-inside
Class-map: class-NOSURF
Inspect: http policy-INSPECT-HTTP, packet 327, drop 0, reset-
drop 0
protocol violations
packet 0
class class-FIND-BANNED-URLS
reset log, packet 0
Home-ASA(config-pmap)#
Anyone?
--
-------
Jimmy Larsson
Ryavagen 173
s-26030 Vallakra
Sweden
http://blogg.kvistofta.nu
-------
_______________________________________________
For more information regarding industry leading CCIE Lab training,
please visit www.ipexpert.com
--
-------
Jimmy Larsson
Ryavagen 173
s-26030 Vallakra
Sweden
http://blogg.kvistofta.nu
-------
_______________________________________________
For more information regarding industry leading CCIE Lab training,
please visit www.ipexpert.com
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
