Can you try capturing the facebook traffic using wireshark and check the URI value.
With regards Kingsffi CCNA,CCSP,CCNP,CCIP,CCIE 35914 (Security) On Fri, Oct 12, 2012 at 7:16 PM, Adil Pasha <[email protected]> wrote: > Thanks Fawad for DNS suggestion. I will try that. But there is really > something with www.facebook.com/login.asp vs. other websites. https is > blocked for every other website that I try to get to their login page but > not for facebook. > > Hi Kingsley, > Please review my config below. > > ! > regex domainlist1 "\.skype\.com" > regex domainlist2 "\.myspace\.com" > regex domainlist3 "\.facebook\.com" > ! > access-list block_regex extended permit tcp host 10.249.1.103 any eq www > access-list block_regex extended permit tcp host 10.249.1.103 any eq 8080 > access-list block_regex extended permit tcp host 10.249.1.103 any eq https > ! > ! > class-map block_user2 > match access-list block_regex > class-map type regex match-any DomainBlockList_user2 > match regex domainlist1 > match regex domainlist2 > match regex domainlist3 > ! > class-map type inspect http match-any BlockDomainClass_user2 > match request header host regex class DomainBlockList_user2 > ! > class-map inspection_default > match default-inspection-traffic > ! > ! > policy-map type inspect dns preset_dns_map > parameters > message-length maximum client auto > message-length maximum 512 > ! > policy-map global_policy > class inspection_default > inspect dns preset_dns_map > inspect ftp > inspect h323 h225 > inspect h323 ras > inspect rsh > inspect rtsp > inspect esmtp > inspect sqlnet > inspect skinny > inspect sunrpc > inspect xdmcp > inspect sip > inspect netbios > inspect tftp > inspect ip-options > ! > policy-map type inspect http BlockDomainClass_user2 > parameters > protocol-violation action <<< If I add 'reset' all https stops working > including facebook.com login page. >>> > class BlockDomainClass_user2 > drop-connection log > ! > policy-map inside-outside-policy > class block_user2 > inspect http BlockDomainClass_user2 > ! > service-policy global_policy global > service-policy inside-outside-policy interface inside > ! > > > > Best Regards. > ______________________ > Adil > > On Oct 12, 2012, at 12:59 AM, Kingsley Charles <[email protected]> > wrote: > > What was your config? > > > With regards > Kings > CCNA,CCSP,CCNP,CCIP,CCIE 35914 (Security) > > On Fri, Oct 12, 2012 at 1:25 AM, Adil Pasha <[email protected]> wrote: > >> Hi guys, >> Does anyone know how to block https://www.facebook.com/login.php page >> using MPF? >> >> http://www.handbook.dk/block-domains-on-a-cisco-asa-152.htm >> https://supportforums.cisco.com/docs/DOC-1268 >> And new 8.4 version has a very basic solution: >> https://supportforums.cisco.com/docs/DOC-1268 >> >> >> The normal configuration on the following links cannot block the above >> link. >> Also, if the above link can be launched using >> Google.com<http://google.com/>search and then click on Login. >> >> I am not finding any solution. >> >> This better not be the exam question till Cisco completely provides the >> solution. I have tested it using ver 8.2, 8.3 and 8.4. >> >> Thanks for any help in advance. >> >> >> Best Regards. >> ______________________ >> Adil >> >> >> On Oct 11, 2012, at 3:06 PM, Radim Jurica <[email protected]> wrote: >> >> Hi guys, >> if I would like to check the field in peer's certificate, is it enough to >> have this "isakmp-profile > match certificate" map construct? >> >> ! >> crypto pki certificate map CERTMAP2 10 >> subject-name co ou = juniper >> ! >> crypto isakmp identity dn >> crypto isakmp profile ISAKMP >> ca trust-point R6 >> match certificate CERTMAP2 >> ! >> crypto ipsec profile CRYPTO >> set transform-set TS >> set isakmp-profile ISAKMP >> ! >> >> It's sVTI VPN PKI solution which without this (and even with this false >> checking) works good. >> >> I cant see nothing relevant in crypto isakmp | pki debugs about checking >> this subject field. >> >> Thank you >> >> Radim >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> Are you a CCNP or CCIE and looking for a job? Check out >> www.PlatinumPlacement.com <http://www.platinumplacement.com/> >> >> >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> Are you a CCNP or CCIE and looking for a job? Check out >> www.PlatinumPlacement.com <http://www.platinumplacement.com/> >> > > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
