Thanks Fawad for DNS suggestion. I will try that. But there is really something with www.facebook.com/login.asp vs. other websites. https is blocked for every other website that I try to get to their login page but not for facebook.
Hi Kingsley, Please review my config below. ! regex domainlist1 "\.skype\.com" regex domainlist2 "\.myspace\.com" regex domainlist3 "\.facebook\.com" ! access-list block_regex extended permit tcp host 10.249.1.103 any eq www access-list block_regex extended permit tcp host 10.249.1.103 any eq 8080 access-list block_regex extended permit tcp host 10.249.1.103 any eq https ! ! class-map block_user2 match access-list block_regex class-map type regex match-any DomainBlockList_user2 match regex domainlist1 match regex domainlist2 match regex domainlist3 ! class-map type inspect http match-any BlockDomainClass_user2 match request header host regex class DomainBlockList_user2 ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 ! policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options ! policy-map type inspect http BlockDomainClass_user2 parameters protocol-violation action <<< If I add 'reset' all https stops working including facebook.com login page. >>> class BlockDomainClass_user2 drop-connection log ! policy-map inside-outside-policy class block_user2 inspect http BlockDomainClass_user2 ! service-policy global_policy global service-policy inside-outside-policy interface inside ! Best Regards. ______________________ Adil On Oct 12, 2012, at 12:59 AM, Kingsley Charles <[email protected]> wrote: > What was your config? > > > With regards > Kings > CCNA,CCSP,CCNP,CCIP,CCIE 35914 (Security) > > On Fri, Oct 12, 2012 at 1:25 AM, Adil Pasha <[email protected]> wrote: > Hi guys, > Does anyone know how to block https://www.facebook.com/login.php page using > MPF? > > http://www.handbook.dk/block-domains-on-a-cisco-asa-152.htm > https://supportforums.cisco.com/docs/DOC-1268 > And new 8.4 version has a very basic solution: > https://supportforums.cisco.com/docs/DOC-1268 > > > The normal configuration on the following links cannot block the above link. > Also, if the above link can be launched using Google.com search and then > click on Login. > > I am not finding any solution. > > This better not be the exam question till Cisco completely provides the > solution. I have tested it using ver 8.2, 8.3 and 8.4. > > Thanks for any help in advance. > > > Best Regards. > ______________________ > Adil > > > On Oct 11, 2012, at 3:06 PM, Radim Jurica <[email protected]> wrote: > >> Hi guys, >> if I would like to check the field in peer's certificate, is it enough to >> have this "isakmp-profile > match certificate" map construct? >> >> ! >> crypto pki certificate map CERTMAP2 10 >> subject-name co ou = juniper >> ! >> crypto isakmp identity dn >> crypto isakmp profile ISAKMP >> ca trust-point R6 >> match certificate CERTMAP2 >> ! >> crypto ipsec profile CRYPTO >> set transform-set TS >> set isakmp-profile ISAKMP >> ! >> >> It's sVTI VPN PKI solution which without this (and even with this false >> checking) works good. >> >> I cant see nothing relevant in crypto isakmp | pki debugs about checking >> this subject field. >> >> Thank you >> >> Radim >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> Are you a CCNP or CCIE and looking for a job? Check out >> www.PlatinumPlacement.com > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
