xactly! I have been troubleshooting this a couple of hour just because I didnt know what an "uri" was. .-)
/J 2010/2/8 Jimmy Larsson <[email protected]> > I´ve got it! > > If I add this regex to the class-map I will successfully prevent > myself from browsing to my word-press-adminpage > (http://blogg.kvistofta.nu/wp-admin): > > regex blogadmin ".*\/wp-admin.*" > > However, if I use this regex it doesnt work: > > regex blogadmin ".*blogg\.kvistofta\.nu\/wp-admin.*" > > I´ve found out why. Anyone, a quick guess? > > Br Jimmy > > On 2/8/10, Jimmy Larsson <[email protected]> wrote: > > Nope. But i lack a good way of debugging whats really happening inside > > of MPF. I can use the show-commands to look at counters for acl and > > service-policies. But more than that? Is there a way for me to see if > > the class-maps are really in use? > > > > Br Jimmy > > > > > > On 2/8/10, Brandon Carroll <[email protected]> wrote: > >> Do you see anything in your logs when you browse to facebook? > >> > >> > >> Regards, > >> > >> Brandon Carroll - CCIE #23837 > >> Senior Technical Instructor - IPexpert > >> Mailto: [email protected] > >> Telephone: +1.810.326.1444 > >> Live Assistance, Please visit: www.ipexpert.com/chat > >> eFax: +1.810.454.0130 > >> > >> ::Message Sent from iPhone:: > >> > >> IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA > >> (R&S, Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, > >> Security & Service Provider) Certification Training with locations > >> throughout the United States, Europe and Australia. Be sure to check > >> out our online communities at www.ipexpert.com/communities and our > >> public website at www.ipexpert.com. > >> > >> On Feb 8, 2010, at 12:41 AM, Jimmy Larsson <[email protected]> wrote: > >> > >>> But still I can browse to facebook. The exact url is copied from my > >>> browser: > >>> > >>> Home-ASA# test regex "http://www.facebook.com/"; ".*\.facebook\.com" > >>> INFO: Regular expression match succeeded. > >>> > >>> Home-ASA# sh access-list acl-MAKE-JIMMY-WORK > >>> access-list acl-MAKE-JIMMY-WORK; 1 elements; name hash: 0x947ef6ed > >>> access-list acl-MAKE-JIMMY-WORK line 1 extended permit tcp any any > >>> eq www time-range STUDY-TIME (hitcnt=23) 0xbe60f654 > >>> Home-ASA# > >>> > >>> > >>> Home-ASA# sh time-range > >>> > >>> time-range entry: STUDY-TIME (active) > >>> periodic weekdays 7:00 to 7:59 > >>> periodic weekdays 8:00 to 10:00 > >>> used in: IP ACL entry > >>> > >>> Home-ASA# sh service-policy inspect http > >>> > >>> Global policy: > >>> Service-policy: global_policy > >>> Class-map: inspection_default > >>> Inspect: http test_pmap, packet 83, drop 0, reset-drop 0 > >>> protocol violations > >>> log, packet 0 > >>> > >>> Interface inside: > >>> Service-policy: policy-inside > >>> Class-map: class-NOSURF > >>> Inspect: http policy-INSPECT-HTTP, packet 1608, drop 0, reset- > >>> drop 0 > >>> protocol violations > >>> packet 0 > >>> class class-FIND-BANNED-URLS > >>> reset log, packet 0 > >>> Home-ASA# > >>> > >>> Just to verify that it had nothing to do with my time-range I > >>> removed that option in the acl. Now its just "permit tcp any any eq > >>> 80" but the "problem" remains. > >>> > >>> Br Jimmy > >>> > >>> 2010/2/8 Brandon Carroll <[email protected]> > >>> Jimmy, > >>> > >>> I think its your regular expression. Look at what I did on the ASA: > >>> > >>> First I tested yours: > >>> > >>> ASA1# test regex www.facebook.com "*.facebook\.com.*" > >>> INFO: Regular expression match failed. > >>> > >>> > >>> Then mine: > >>> > >>> ASA1# test regex www.facebook.com ".+\.facebook\.com*" > >>> INFO: Regular expression match succeeded. > >>> > >>> Then a few others to test the path to other apps: > >>> > >>> ASA1# test regex www.facebook.com/reader ".+\.facebook\.com*" > >>> INFO: Regular expression match succeeded. > >>> > >>> ASA1# test regex www.facebook.com/farmville_app ".+\.facebook\.com*" > >>> INFO: Regular expression match succeeded. > >>> > >>> Finally I tested agains another site: > >>> > >>> ASA1# test regex www.cisco.com/ ".+\.facebook\.com*" > >>> INFO: Regular expression match failed. > >>> > >>> and > >>> > >>> ASA1# test regex www.google.com/ ".+\.facebook\.com*" > >>> INFO: Regular expression match failed. > >>> > >>> give that a try and see where you get. > >>> > >>> Regards, > >>> > >>> Brandon Carroll - CCIE #23837 > >>> Senior Technical Instructor - IPexpert > >>> Mailto: [email protected] > >>> Telephone: +1.810.326.1444 > >>> Live Assistance, Please visit: www.ipexpert.com/chat > >>> eFax: +1.810.454.0130 > >>> > >>> IPexpert is a premier provider of Classroom and Self-Study Cisco > >>> CCNA (R&S, Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, > >>> Security & Service Provider) Certification Training with locations > >>> throughout the United States, Europe and Australia. Be sure to check > >>> out our online communities at www.ipexpert.com/communities and our > >>> public website at www.ipexpert.com. > >>> > >>> > >>> > >>> On Sun, Feb 7, 2010 at 10:50 PM, Jimmy Larsson <[email protected]> > >>> wrote: > >>> Hello > >>> > >>> Can anyone see why I am still able to surf to facebook from inside > >>> the ASA with this config? > >>> > >>> time-range STUDY-TIME > >>> absolute start 07:05 08 February 2010 end 07:59 08 February 2010 > >>> ! > >>> access-list acl-MAKE-JIMMY-WORK extended permit tcp any any eq www > >>> time-range STUDY-TIME > >>> > >>> class-map class-NOSURF > >>> match access-list acl-MAKE-JIMMY-WORK > >>> > >>> > >>> regex gmail ".*mail\.google\.com.*" > >>> regex googlereader "*.google\.com\/reader.*" > >>> regex twitter "*.twitter\.com.*" > >>> regex facebook "*.facebook\.com.*" > >>> > >>> > >>> class-map type regex match-any class-map-JIMMYS-BANNED-SITES > >>> match regex twitter > >>> match regex facebook > >>> match regex googlereader > >>> match regex gmail > >>> > >>> class-map type inspect http match-all class-FIND-BANNED-URLS > >>> match request uri regex class class-map-JIMMYS-BANNED-SITES > >>> > >>> policy-map type inspect http policy-INSPECT-HTTP > >>> parameters > >>> class class-FIND-BANNED-URLS > >>> reset log > >>> > >>> policy-map policy-inside > >>> # Other classes > >>> class class-NOSURF > >>> inspect http policy-INSPECT-HTTP > >>> > >>> Time-range is active: > >>> Home-ASA(config-pmap)# sh time-range > >>> > >>> time-range entry: STUDY-TIME (active) > >>> periodic weekdays 7:00 to 7:59 > >>> used in: IP ACL entry > >>> > >>> my acl gets hitcounts: > >>> Home-ASA(config-pmap)# sh access-list acl-MAKE-JIMMY-WORK > >>> access-list acl-MAKE-JIMMY-WORK; 1 elements; name hash: 0x947ef6ed > >>> access-list acl-MAKE-JIMMY-WORK line 1 extended permit tcp any any > >>> eq www time-range STUDY-TIME (hitcnt=1) 0xbe60f654 > >>> > >>> My service-policy looks good: > >>> > >>> Home-ASA(config-pmap)# sh service-policy inspect http > >>> > >>> Global policy: > >>> Service-policy: global_policy > >>> Class-map: inspection_default > >>> Inspect: http test_pmap, packet 6895252, drop 68, reset-drop 0 > >>> protocol violations > >>> log, packet 68 > >>> > >>> Interface inside: > >>> Service-policy: policy-inside > >>> Class-map: class-NOSURF > >>> Inspect: http policy-INSPECT-HTTP, packet 1495, drop 0, reset- > >>> drop 0 > >>> protocol violations > >>> packet 0 > >>> class class-FIND-BANNED-URLS > >>> reset log, packet 0 > >>> Home-ASA(config-pmap)# > >>> > >>> And the service-policy looks good: > >>> > >>> Home-ASA(config-pmap)# sh service-policy inspect http > >>> > >>> Global policy: > >>> Service-policy: global_policy > >>> Class-map: inspection_default > >>> Inspect: http test_pmap, packet 6, drop 0, reset-drop 0 > >>> protocol violations > >>> log, packet 0 > >>> > >>> Interface inside: > >>> Service-policy: policy-inside > >>> Class-map: class-NOSURF > >>> Inspect: http policy-INSPECT-HTTP, packet 327, drop 0, reset- > >>> drop 0 > >>> protocol violations > >>> packet 0 > >>> class class-FIND-BANNED-URLS > >>> reset log, packet 0 > >>> Home-ASA(config-pmap)# > >>> > >>> Anyone? > >>> > >>> -- > >>> ------- > >>> Jimmy Larsson > >>> Ryavagen 173 > >>> s-26030 Vallakra > >>> Sweden > >>> http://blogg.kvistofta.nu > >>> ------- > >>> > >>> _______________________________________________ > >>> For more information regarding industry leading CCIE Lab training, > >>> please visit www.ipexpert.com > >>> > >>> > >>> > >>> > >>> > >>> -- > >>> ------- > >>> Jimmy Larsson > >>> Ryavagen 173 > >>> s-26030 Vallakra > >>> Sweden > >>> http://blogg.kvistofta.nu > >>> ------- > >>> _______________________________________________ > >>> For more information regarding industry leading CCIE Lab training, > >>> please visit www.ipexpert.com > >> > > > > > > -- > > ------- > > Jimmy Larsson > > Ryavagen 173 > > s-26030 Vallakra > > Sweden > > http://blogg.kvistofta.nu > > ------- > > > > > -- > ------- > Jimmy Larsson > Ryavagen 173 > s-26030 Vallakra > Sweden > http://blogg.kvistofta.nu > ------- > -- ------- Jimmy Larsson Ryavagen 173 s-26030 Vallakra Sweden http://blogg.kvistofta.nu -------
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
