Got it working. class-map type inspect http match-any domain_block_policy match request header host regex class domain_block_list match request uri regex class domain_block_list <<< This command is required since it stops Facebook.com login page from launching using google's web page. Do not know the exact explanation. Please share with me. This blocks it completely. >>>
Best Regards. ______________________ Adil On Oct 13, 2012, at 5:43 AM, Kingsley Charles <[email protected]> wrote: > Can you try capturing the facebook traffic using wireshark and check the URI > value. > > With regards > Kingsffi > CCNA,CCSP,CCNP,CCIP,CCIE 35914 (Security) > > > On Fri, Oct 12, 2012 at 7:16 PM, Adil Pasha <[email protected]> wrote: > Thanks Fawad for DNS suggestion. I will try that. But there is really > something with www.facebook.com/login.asp vs. other websites. https is > blocked for every other website that I try to get to their login page but not > for facebook. > > Hi Kingsley, > Please review my config below. > > ! > regex domainlist1 "\.skype\.com" > regex domainlist2 "\.myspace\.com" > regex domainlist3 "\.facebook\.com" > ! > access-list block_regex extended permit tcp host 10.249.1.103 any eq www > access-list block_regex extended permit tcp host 10.249.1.103 any eq 8080 > access-list block_regex extended permit tcp host 10.249.1.103 any eq https > ! > ! > class-map block_user2 > match access-list block_regex > class-map type regex match-any DomainBlockList_user2 > match regex domainlist1 > match regex domainlist2 > match regex domainlist3 > ! > class-map type inspect http match-any BlockDomainClass_user2 > match request header host regex class DomainBlockList_user2 > ! > class-map inspection_default > match default-inspection-traffic > ! > ! > policy-map type inspect dns preset_dns_map > parameters > message-length maximum client auto > message-length maximum 512 > ! > policy-map global_policy > class inspection_default > inspect dns preset_dns_map > inspect ftp > inspect h323 h225 > inspect h323 ras > inspect rsh > inspect rtsp > inspect esmtp > inspect sqlnet > inspect skinny > inspect sunrpc > inspect xdmcp > inspect sip > inspect netbios > inspect tftp > inspect ip-options > ! > policy-map type inspect http BlockDomainClass_user2 > parameters > protocol-violation action <<< If I add 'reset' all https stops working > including facebook.com login page. >>> > class BlockDomainClass_user2 > drop-connection log > ! > policy-map inside-outside-policy > class block_user2 > inspect http BlockDomainClass_user2 > ! > service-policy global_policy global > service-policy inside-outside-policy interface inside > ! > > > > Best Regards. > ______________________ > Adil > > On Oct 12, 2012, at 12:59 AM, Kingsley Charles <[email protected]> > wrote: > >> What was your config? >> >> >> With regards >> Kings >> CCNA,CCSP,CCNP,CCIP,CCIE 35914 (Security) >> >> On Fri, Oct 12, 2012 at 1:25 AM, Adil Pasha <[email protected]> wrote: >> Hi guys, >> Does anyone know how to block https://www.facebook.com/login.php page using >> MPF? >> >> http://www.handbook.dk/block-domains-on-a-cisco-asa-152.htm >> https://supportforums.cisco.com/docs/DOC-1268 >> And new 8.4 version has a very basic solution: >> https://supportforums.cisco.com/docs/DOC-1268 >> >> >> The normal configuration on the following links cannot block the above link. >> Also, if the above link can be launched using Google.com search and then >> click on Login. >> >> I am not finding any solution. >> >> This better not be the exam question till Cisco completely provides the >> solution. I have tested it using ver 8.2, 8.3 and 8.4. >> >> Thanks for any help in advance. >> >> >> Best Regards. >> ______________________ >> Adil >> >> >> On Oct 11, 2012, at 3:06 PM, Radim Jurica <[email protected]> wrote: >> >>> Hi guys, >>> if I would like to check the field in peer's certificate, is it enough to >>> have this "isakmp-profile > match certificate" map construct? >>> >>> ! >>> crypto pki certificate map CERTMAP2 10 >>> subject-name co ou = juniper >>> ! >>> crypto isakmp identity dn >>> crypto isakmp profile ISAKMP >>> ca trust-point R6 >>> match certificate CERTMAP2 >>> ! >>> crypto ipsec profile CRYPTO >>> set transform-set TS >>> set isakmp-profile ISAKMP >>> ! >>> >>> It's sVTI VPN PKI solution which without this (and even with this false >>> checking) works good. >>> >>> I cant see nothing relevant in crypto isakmp | pki debugs about checking >>> this subject field. >>> >>> Thank you >>> >>> Radim >>> _______________________________________________ >>> For more information regarding industry leading CCIE Lab training, please >>> visit www.ipexpert.com >>> >>> Are you a CCNP or CCIE and looking for a job? Check out >>> www.PlatinumPlacement.com >> >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> Are you a CCNP or CCIE and looking for a job? Check out >> www.PlatinumPlacement.com >> > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
