Nope. But i lack a good way of debugging whats really happening inside of MPF. I can use the show-commands to look at counters for acl and service-policies. But more than that? Is there a way for me to see if the class-maps are really in use?
Br Jimmy On 2/8/10, Brandon Carroll <[email protected]> wrote: > Do you see anything in your logs when you browse to facebook? > > > Regards, > > Brandon Carroll - CCIE #23837 > Senior Technical Instructor - IPexpert > Mailto: [email protected] > Telephone: +1.810.326.1444 > Live Assistance, Please visit: www.ipexpert.com/chat > eFax: +1.810.454.0130 > > ::Message Sent from iPhone:: > > IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA > (R&S, Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, > Security & Service Provider) Certification Training with locations > throughout the United States, Europe and Australia. Be sure to check > out our online communities at www.ipexpert.com/communities and our > public website at www.ipexpert.com. > > On Feb 8, 2010, at 12:41 AM, Jimmy Larsson <[email protected]> wrote: > >> But still I can browse to facebook. The exact url is copied from my >> browser: >> >> Home-ASA# test regex "http://www.facebook.com/"; ".*\.facebook\.com" >> INFO: Regular expression match succeeded. >> >> Home-ASA# sh access-list acl-MAKE-JIMMY-WORK >> access-list acl-MAKE-JIMMY-WORK; 1 elements; name hash: 0x947ef6ed >> access-list acl-MAKE-JIMMY-WORK line 1 extended permit tcp any any >> eq www time-range STUDY-TIME (hitcnt=23) 0xbe60f654 >> Home-ASA# >> >> >> Home-ASA# sh time-range >> >> time-range entry: STUDY-TIME (active) >> periodic weekdays 7:00 to 7:59 >> periodic weekdays 8:00 to 10:00 >> used in: IP ACL entry >> >> Home-ASA# sh service-policy inspect http >> >> Global policy: >> Service-policy: global_policy >> Class-map: inspection_default >> Inspect: http test_pmap, packet 83, drop 0, reset-drop 0 >> protocol violations >> log, packet 0 >> >> Interface inside: >> Service-policy: policy-inside >> Class-map: class-NOSURF >> Inspect: http policy-INSPECT-HTTP, packet 1608, drop 0, reset- >> drop 0 >> protocol violations >> packet 0 >> class class-FIND-BANNED-URLS >> reset log, packet 0 >> Home-ASA# >> >> Just to verify that it had nothing to do with my time-range I >> removed that option in the acl. Now its just "permit tcp any any eq >> 80" but the "problem" remains. >> >> Br Jimmy >> >> 2010/2/8 Brandon Carroll <[email protected]> >> Jimmy, >> >> I think its your regular expression. Look at what I did on the ASA: >> >> First I tested yours: >> >> ASA1# test regex www.facebook.com "*.facebook\.com.*" >> INFO: Regular expression match failed. >> >> >> Then mine: >> >> ASA1# test regex www.facebook.com ".+\.facebook\.com*" >> INFO: Regular expression match succeeded. >> >> Then a few others to test the path to other apps: >> >> ASA1# test regex www.facebook.com/reader ".+\.facebook\.com*" >> INFO: Regular expression match succeeded. >> >> ASA1# test regex www.facebook.com/farmville_app ".+\.facebook\.com*" >> INFO: Regular expression match succeeded. >> >> Finally I tested agains another site: >> >> ASA1# test regex www.cisco.com/ ".+\.facebook\.com*" >> INFO: Regular expression match failed. >> >> and >> >> ASA1# test regex www.google.com/ ".+\.facebook\.com*" >> INFO: Regular expression match failed. >> >> give that a try and see where you get. >> >> Regards, >> >> Brandon Carroll - CCIE #23837 >> Senior Technical Instructor - IPexpert >> Mailto: [email protected] >> Telephone: +1.810.326.1444 >> Live Assistance, Please visit: www.ipexpert.com/chat >> eFax: +1.810.454.0130 >> >> IPexpert is a premier provider of Classroom and Self-Study Cisco >> CCNA (R&S, Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, >> Security & Service Provider) Certification Training with locations >> throughout the United States, Europe and Australia. Be sure to check >> out our online communities at www.ipexpert.com/communities and our >> public website at www.ipexpert.com. >> >> >> >> On Sun, Feb 7, 2010 at 10:50 PM, Jimmy Larsson <[email protected]> >> wrote: >> Hello >> >> Can anyone see why I am still able to surf to facebook from inside >> the ASA with this config? >> >> time-range STUDY-TIME >> absolute start 07:05 08 February 2010 end 07:59 08 February 2010 >> ! >> access-list acl-MAKE-JIMMY-WORK extended permit tcp any any eq www >> time-range STUDY-TIME >> >> class-map class-NOSURF >> match access-list acl-MAKE-JIMMY-WORK >> >> >> regex gmail ".*mail\.google\.com.*" >> regex googlereader "*.google\.com\/reader.*" >> regex twitter "*.twitter\.com.*" >> regex facebook "*.facebook\.com.*" >> >> >> class-map type regex match-any class-map-JIMMYS-BANNED-SITES >> match regex twitter >> match regex facebook >> match regex googlereader >> match regex gmail >> >> class-map type inspect http match-all class-FIND-BANNED-URLS >> match request uri regex class class-map-JIMMYS-BANNED-SITES >> >> policy-map type inspect http policy-INSPECT-HTTP >> parameters >> class class-FIND-BANNED-URLS >> reset log >> >> policy-map policy-inside >> # Other classes >> class class-NOSURF >> inspect http policy-INSPECT-HTTP >> >> Time-range is active: >> Home-ASA(config-pmap)# sh time-range >> >> time-range entry: STUDY-TIME (active) >> periodic weekdays 7:00 to 7:59 >> used in: IP ACL entry >> >> my acl gets hitcounts: >> Home-ASA(config-pmap)# sh access-list acl-MAKE-JIMMY-WORK >> access-list acl-MAKE-JIMMY-WORK; 1 elements; name hash: 0x947ef6ed >> access-list acl-MAKE-JIMMY-WORK line 1 extended permit tcp any any >> eq www time-range STUDY-TIME (hitcnt=1) 0xbe60f654 >> >> My service-policy looks good: >> >> Home-ASA(config-pmap)# sh service-policy inspect http >> >> Global policy: >> Service-policy: global_policy >> Class-map: inspection_default >> Inspect: http test_pmap, packet 6895252, drop 68, reset-drop 0 >> protocol violations >> log, packet 68 >> >> Interface inside: >> Service-policy: policy-inside >> Class-map: class-NOSURF >> Inspect: http policy-INSPECT-HTTP, packet 1495, drop 0, reset- >> drop 0 >> protocol violations >> packet 0 >> class class-FIND-BANNED-URLS >> reset log, packet 0 >> Home-ASA(config-pmap)# >> >> And the service-policy looks good: >> >> Home-ASA(config-pmap)# sh service-policy inspect http >> >> Global policy: >> Service-policy: global_policy >> Class-map: inspection_default >> Inspect: http test_pmap, packet 6, drop 0, reset-drop 0 >> protocol violations >> log, packet 0 >> >> Interface inside: >> Service-policy: policy-inside >> Class-map: class-NOSURF >> Inspect: http policy-INSPECT-HTTP, packet 327, drop 0, reset- >> drop 0 >> protocol violations >> packet 0 >> class class-FIND-BANNED-URLS >> reset log, packet 0 >> Home-ASA(config-pmap)# >> >> Anyone? >> >> -- >> ------- >> Jimmy Larsson >> Ryavagen 173 >> s-26030 Vallakra >> Sweden >> http://blogg.kvistofta.nu >> ------- >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, >> please visit www.ipexpert.com >> >> >> >> >> >> -- >> ------- >> Jimmy Larsson >> Ryavagen 173 >> s-26030 Vallakra >> Sweden >> http://blogg.kvistofta.nu >> ------- >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, >> please visit www.ipexpert.com > -- ------- Jimmy Larsson Ryavagen 173 s-26030 Vallakra Sweden http://blogg.kvistofta.nu ------- _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
