And thanks to the others who contributed. From: [email protected] [mailto:[email protected]] On Behalf Of Jimmy Larsson Sent: Monday, February 08, 2010 9:36 PM To: Brandon Carroll Cc: [email protected] Subject: Re: [OSL | CCIE_Security] MPF - whats wrong in this?
xactly! I have been troubleshooting this a couple of hour just because I didnt know what an "uri" was. .-) /J 2010/2/8 Jimmy Larsson <[email protected]<mailto:[email protected]>> I´ve got it! If I add this regex to the class-map I will successfully prevent myself from browsing to my word-press-adminpage (http://blogg.kvistofta.nu/wp-admin): regex blogadmin ".*\/wp-admin.*" However, if I use this regex it doesnt work: regex blogadmin ".*blogg\.kvistofta\.nu\/wp-admin.*" I´ve found out why. Anyone, a quick guess? Br Jimmy On 2/8/10, Jimmy Larsson <[email protected]<mailto:[email protected]>> wrote: > Nope. But i lack a good way of debugging whats really happening inside > of MPF. I can use the show-commands to look at counters for acl and > service-policies. But more than that? Is there a way for me to see if > the class-maps are really in use? > > Br Jimmy > > > On 2/8/10, Brandon Carroll > <[email protected]<mailto:[email protected]>> wrote: >> Do you see anything in your logs when you browse to facebook? >> >> >> Regards, >> >> Brandon Carroll - CCIE #23837 >> Senior Technical Instructor - IPexpert >> Mailto: [email protected]<mailto:[email protected]> >> Telephone: +1.810.326.1444 >> Live Assistance, Please visit: >> www.ipexpert.com/chat<http://www.ipexpert.com/chat> >> eFax: +1.810.454.0130 >> >> ::Message Sent from iPhone:: >> >> IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA >> (R&S, Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, >> Security & Service Provider) Certification Training with locations >> throughout the United States, Europe and Australia. Be sure to check >> out our online communities at >> www.ipexpert.com/communities<http://www.ipexpert.com/communities> and our >> public website at www.ipexpert.com<http://www.ipexpert.com>. >> >> On Feb 8, 2010, at 12:41 AM, Jimmy Larsson >> <[email protected]<mailto:[email protected]>> wrote: >> >>> But still I can browse to facebook. The exact url is copied from my >>> browser: >>> >>> Home-ASA# test regex "http://www.facebook.com/"; ".*\.facebook\.com" >>> INFO: Regular expression match succeeded. >>> >>> Home-ASA# sh access-list acl-MAKE-JIMMY-WORK >>> access-list acl-MAKE-JIMMY-WORK; 1 elements; name hash: 0x947ef6ed >>> access-list acl-MAKE-JIMMY-WORK line 1 extended permit tcp any any >>> eq www time-range STUDY-TIME (hitcnt=23) 0xbe60f654 >>> Home-ASA# >>> >>> >>> Home-ASA# sh time-range >>> >>> time-range entry: STUDY-TIME (active) >>> periodic weekdays 7:00 to 7:59 >>> periodic weekdays 8:00 to 10:00 >>> used in: IP ACL entry >>> >>> Home-ASA# sh service-policy inspect http >>> >>> Global policy: >>> Service-policy: global_policy >>> Class-map: inspection_default >>> Inspect: http test_pmap, packet 83, drop 0, reset-drop 0 >>> protocol violations >>> log, packet 0 >>> >>> Interface inside: >>> Service-policy: policy-inside >>> Class-map: class-NOSURF >>> Inspect: http policy-INSPECT-HTTP, packet 1608, drop 0, reset- >>> drop 0 >>> protocol violations >>> packet 0 >>> class class-FIND-BANNED-URLS >>> reset log, packet 0 >>> Home-ASA# >>> >>> Just to verify that it had nothing to do with my time-range I >>> removed that option in the acl. Now its just "permit tcp any any eq >>> 80" but the "problem" remains. >>> >>> Br Jimmy >>> >>> 2010/2/8 Brandon Carroll >>> <[email protected]<mailto:[email protected]>> >>> Jimmy, >>> >>> I think its your regular expression. Look at what I did on the ASA: >>> >>> First I tested yours: >>> >>> ASA1# test regex www.facebook.com<http://www.facebook.com> >>> "*.facebook\.com.*" >>> INFO: Regular expression match failed. >>> >>> >>> Then mine: >>> >>> ASA1# test regex www.facebook.com<http://www.facebook.com> >>> ".+\.facebook\.com*" >>> INFO: Regular expression match succeeded. >>> >>> Then a few others to test the path to other apps: >>> >>> ASA1# test regex www.facebook.com/reader<http://www.facebook.com/reader> >>> ".+\.facebook\.com*" >>> INFO: Regular expression match succeeded. >>> >>> ASA1# test regex >>> www.facebook.com/farmville_app<http://www.facebook.com/farmville_app> >>> ".+\.facebook\.com*" >>> INFO: Regular expression match succeeded. >>> >>> Finally I tested agains another site: >>> >>> ASA1# test regex www.cisco.com/<http://www.cisco.com/> ".+\.facebook\.com*" >>> INFO: Regular expression match failed. >>> >>> and >>> >>> ASA1# test regex www.google.com/<http://www.google.com/> >>> ".+\.facebook\.com*" >>> INFO: Regular expression match failed. >>> >>> give that a try and see where you get. >>> >>> Regards, >>> >>> Brandon Carroll - CCIE #23837 >>> Senior Technical Instructor - IPexpert >>> Mailto: [email protected]<mailto:[email protected]> >>> Telephone: +1.810.326.1444 >>> Live Assistance, Please visit: >>> www.ipexpert.com/chat<http://www.ipexpert.com/chat> >>> eFax: +1.810.454.0130 >>> >>> IPexpert is a premier provider of Classroom and Self-Study Cisco >>> CCNA (R&S, Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, >>> Security & Service Provider) Certification Training with locations >>> throughout the United States, Europe and Australia. Be sure to check >>> out our online communities at >>> www.ipexpert.com/communities<http://www.ipexpert.com/communities> and our >>> public website at www.ipexpert.com<http://www.ipexpert.com>. >>> >>> >>> >>> On Sun, Feb 7, 2010 at 10:50 PM, Jimmy Larsson >>> <[email protected]<mailto:[email protected]>> >>> wrote: >>> Hello >>> >>> Can anyone see why I am still able to surf to facebook from inside >>> the ASA with this config? >>> >>> time-range STUDY-TIME >>> absolute start 07:05 08 February 2010 end 07:59 08 February 2010 >>> ! >>> access-list acl-MAKE-JIMMY-WORK extended permit tcp any any eq www >>> time-range STUDY-TIME >>> >>> class-map class-NOSURF >>> match access-list acl-MAKE-JIMMY-WORK >>> >>> >>> regex gmail ".*mail\.google\.com.*" >>> regex googlereader "*.google\.com\/reader.*" >>> regex twitter "*.twitter\.com.*" >>> regex facebook "*.facebook\.com.*" >>> >>> >>> class-map type regex match-any class-map-JIMMYS-BANNED-SITES >>> match regex twitter >>> match regex facebook >>> match regex googlereader >>> match regex gmail >>> >>> class-map type inspect http match-all class-FIND-BANNED-URLS >>> match request uri regex class class-map-JIMMYS-BANNED-SITES >>> >>> policy-map type inspect http policy-INSPECT-HTTP >>> parameters >>> class class-FIND-BANNED-URLS >>> reset log >>> >>> policy-map policy-inside >>> # Other classes >>> class class-NOSURF >>> inspect http policy-INSPECT-HTTP >>> >>> Time-range is active: >>> Home-ASA(config-pmap)# sh time-range >>> >>> time-range entry: STUDY-TIME (active) >>> periodic weekdays 7:00 to 7:59 >>> used in: IP ACL entry >>> >>> my acl gets hitcounts: >>> Home-ASA(config-pmap)# sh access-list acl-MAKE-JIMMY-WORK >>> access-list acl-MAKE-JIMMY-WORK; 1 elements; name hash: 0x947ef6ed >>> access-list acl-MAKE-JIMMY-WORK line 1 extended permit tcp any any >>> eq www time-range STUDY-TIME (hitcnt=1) 0xbe60f654 >>> >>> My service-policy looks good: >>> >>> Home-ASA(config-pmap)# sh service-policy inspect http >>> >>> Global policy: >>> Service-policy: global_policy >>> Class-map: inspection_default >>> Inspect: http test_pmap, packet 6895252, drop 68, reset-drop 0 >>> protocol violations >>> log, packet 68 >>> >>> Interface inside: >>> Service-policy: policy-inside >>> Class-map: class-NOSURF >>> Inspect: http policy-INSPECT-HTTP, packet 1495, drop 0, reset- >>> drop 0 >>> protocol violations >>> packet 0 >>> class class-FIND-BANNED-URLS >>> reset log, packet 0 >>> Home-ASA(config-pmap)# >>> >>> And the service-policy looks good: >>> >>> Home-ASA(config-pmap)# sh service-policy inspect http >>> >>> Global policy: >>> Service-policy: global_policy >>> Class-map: inspection_default >>> Inspect: http test_pmap, packet 6, drop 0, reset-drop 0 >>> protocol violations >>> log, packet 0 >>> >>> Interface inside: >>> Service-policy: policy-inside >>> Class-map: class-NOSURF >>> Inspect: http policy-INSPECT-HTTP, packet 327, drop 0, reset- >>> drop 0 >>> protocol violations >>> packet 0 >>> class class-FIND-BANNED-URLS >>> reset log, packet 0 >>> Home-ASA(config-pmap)# >>> >>> Anyone? >>> >>> -- >>> ------- >>> Jimmy Larsson >>> Ryavagen 173 >>> s-26030 Vallakra >>> Sweden >>> http://blogg.kvistofta.nu >>> ------- >>> >>> _______________________________________________ >>> For more information regarding industry leading CCIE Lab training, >>> please visit www.ipexpert.com<http://www.ipexpert.com> >>> >>> >>> >>> >>> >>> -- >>> ------- >>> Jimmy Larsson >>> Ryavagen 173 >>> s-26030 Vallakra >>> Sweden >>> http://blogg.kvistofta.nu >>> ------- >>> _______________________________________________ >>> For more information regarding industry leading CCIE Lab training, >>> please visit www.ipexpert.com<http://www.ipexpert.com> >> > > > -- > ------- > Jimmy Larsson > Ryavagen 173 > s-26030 Vallakra > Sweden > http://blogg.kvistofta.nu > ------- > -- ------- Jimmy Larsson Ryavagen 173 s-26030 Vallakra Sweden http://blogg.kvistofta.nu ------- -- ------- Jimmy Larsson Ryavagen 173 s-26030 Vallakra Sweden http://blogg.kvistofta.nu -------
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
