{"id":971,"date":"2017-02-03T20:40:00","date_gmt":"2017-02-03T20:40:00","guid":{"rendered":"https:\/\/jay-miah.co.uk\/?p=971"},"modified":"2024-11-17T20:44:47","modified_gmt":"2024-11-17T20:44:47","slug":"blocking-urls-using-mpf-on-the-cisco-asa","status":"publish","type":"post","link":"https:\/\/jay-miah.co.uk\/index.php\/blocking-urls-using-mpf-on-the-cisco-asa\/","title":{"rendered":"Blocking URLs Using MPF on the Cisco ASA"},"content":{"rendered":"

The Cisco ASA 5505 doesn\u2019t have a built in feature for URL filtering, nowadays most next generation firewalls will have\u00a0a URL filtering option\u00a0built in \u2013 which can be licensed and used without the need of a separate device. Commonly\u00a0this type of deployment would act as a transparent proxy.<\/p>\n

Using regular expressions with the modular policy framework (MPF) we can ask the ASA to inspect http traffic and block URLs that we define.\u00a0By design the ASA 5505 is not capable of deep packet inspection, therefore it is unable to perform https\u00a0filtering\u00a0as the content of a packet is encrypted using SSL.<\/p>\n

In this step by step guide we will configure the Cisco ASA to to use regular expressions with MPF to block certain http websites (URL), this will be done using ASDM.<\/p>\n

The topology used, is a typical deployment \u2013 the ASA is placed on the edge of the network behind the WAN router, all http traffic will\u00a0be inspected as it flows from the inside of the network to the outside. The traffic will then be allowed or dropped according to the inspect maps.<\/p>\n

\"topology\"<\/p>\n

 <\/p>\n

Lets get started!<\/strong><\/p>\n

1.<\/strong>\u00a0launch ASDM and login<\/p>\n

\"1\"<\/p>\n

2.<\/strong>\u00a0Navigate to\u00a0\u201cConfiguration\u201d\u00a0\u2013\u00a0\u201cFirewall\u201d\u00a0\u2013\u00a0\u201cObjects\u201d\u00a0\u2013\u00a0\u201cRegular Expressions\u201d\u00a0under Regular Expressions click\u00a0\u201cAdd\u201d<\/p>\n

\"2\"<\/p>\n

3.<\/strong>\u00a0Create a regular expression with the value of the URL that you wish to block in the following format\u00a0\u201c\\.facebook\\.com\u201d\u00a0and click\u00a0\u201cOK\u201d<\/p>\n

\"3\"<\/p>\n

4.<\/strong>\u00a0Create a regular expression of another URL, and click\u00a0\u201cOK\u201d<\/p>\n

\"4\"<\/p>\n

5.<\/strong>\u00a0Create a regular expression of another URL, and click\u00a0\u201cOK\u201d\u00a0repeat the above step to add as many URLs required.<\/p>\n

\"5\"<\/p>\n

6.<\/strong>\u00a0Create a regular expression in order to capture the file extensions such as exe, com and bat provided that the https version being used by the web browser must be either 1.0 or 1.1, Enter the following\u00a0\u201c.*\\.([Ee][Xx][Ee]|[Cc][Oo][Mm]|[Bb][Aa][Tt]) HTTP\/1.[01]\u201d\u00a0Click\u00a0\u201cOK\u201d<\/p>\n

\"6\"<\/p>\n

7.<\/strong>\u00a0Create a regular expression in order to capture the file extensions such as pif, vbs and wsh. Enter the following\u00a0\u201c.*\\.([Pp][Ii][Ff]|[Vv][Bb][Ss]|[Ww][Ss][Hh]) HTTP\/1.[01]\u201d\u00a0Click\u00a0\u201cOK\u201d<\/p>\n

\"7\"<\/p>\n

8.<\/strong>\u00a0Create a regular expression in order to capture the file extensions such as doc, xls and ppt. Enter the following\u00a0\u201c.*\\.([Dd][Oo][Cc]|[Xx][Ll][Ss]|[Pp][Tt]) HTTP\/1.[01]\u201d\u00a0Click\u00a0\u201cOK\u201d<\/p>\n

\"8\"<\/p>\n

9.\u00a0<\/strong>Create a regular expression in order to capture the file extensions such as zip, tar and tgz. Enter the following\u00a0\u201c*\\.([Zz][Ii][Pp]|[Tt][Aa][Rr]|[Tt][Gg][Zz]) HTTP\/1.[01]\u201d\u00a0Click\u00a0\u201cOK\u201d<\/p>\n

\"9\"<\/p>\n

10.<\/strong>\u00a0Create a regular expression\u00a0\u201ccontenttype\u201d\u00a0in order to capture the content type. Click\u00a0\u201cOK\u201d.<\/p>\n

\"10\"<\/p>\n

11.\u00a0<\/strong>Create a regular expression\u00a0\u201capplicationheader\u201d\u00a0in order to capture the various application<\/p>\n

header. Click\u00a0\u201cOK\u201d<\/p>\n

\"11\"<\/p>\n

12.<\/strong>\u00a0Once all the regular expressions have been created, hit\u00a0\u201cApply\u201d<\/p>\n

\"12\"<\/p>\n

13.<\/strong>\u00a0Under\u00a0\u201cRegular Expression Classes\u201d\u00a0click\u00a0\u201cAdd\u201d<\/p>\n

\"13\"<\/p>\n

14.<\/strong>\u00a0Create a regular expression class\u00a0\u201cDomainBlockList\u201d\u00a0in order to match any of the regular
\nexpressions\u00a0\u201cdomainlist1\u201d,\u00a0\u201cdomainlist2\u201d\u00a0and\u00a0\u201cdomainlist3\u201d. Click\u00a0\u201cOK\u201d.<\/p>\n

\"14\"<\/p>\n

15.<\/strong>\u00a0Create a regular expression class\u00a0\u201cURLBlockList\u201d\u00a0in order to match any of the regular
\nexpressions\u00a0\u201curllist1\u201d,\u00a0\u201curllist2\u201d,\u00a0\u201curllist3\u201d\u00a0and\u00a0\u201curllist4\u201d. Click\u00a0\u201cOK\u201d.<\/p>\n

\"15\"<\/p>\n

16.<\/strong>\u00a0Once the expression classes have been added click\u00a0\u201cApply\u201d<\/p>\n

\"16\"<\/p>\n

17.<\/strong>\u00a0Navigate to\u00a0\u201cClass Maps\u201d\u00a0\u2013\u00a0\u201cHTTP\u201d\u00a0and click\u00a0\u201cAdd\u201d<\/p>\n

\"17\"<\/p>\n

18.<\/strong>\u00a0Create a class map\u00a0\u201cAppHeaderClass\u201d\u00a0in order to match the response header with regular
\nexpressions captures. Click\u00a0\u201cAdd\u201d<\/p>\n

\"18\"<\/p>\n

19.<\/strong>\u00a0Insert the match criteria as shown below, and click\u00a0\u201cOK\u201d, click\u00a0\u201cOK\u201d<\/p>\n

\"19\"<\/p>\n

20.<\/strong>\u00a0\u00a0Create a class map\u00a0\u201cBlockedDomainsClass\u201d\u00a0in order to match the response header with regular
\nexpressions captures. Click\u00a0\u201cAdd\u201d\u00a0and\u00a0Insert the match criteria as shown below, and click\u00a0\u201cOK\u201d, click\u00a0\u201cOK\u201d<\/p>\n

\"20\"<\/p>\n

21.<\/strong>\u00a0Create a class map\u00a0\u201cBlockedURLsClass\u201d\u00a0in order to match the response header with regular
\nexpressions captures. Click\u00a0\u201cAdd\u201d\u00a0and\u00a0Insert the match criteria as shown below, and click\u00a0\u201cOK\u201d, click\u00a0\u201cOK\u201d<\/p>\n

\"21\"<\/p>\n

22.<\/strong>\u00a0Navigate to\u00a0\u201cInspect Maps\u201d\u00a0\u2013\u00a0\u201cHTTP\u201d\u00a0click\u00a0\u201cAdd\u201d<\/p>\n

\"24\"<\/p>\n

23.<\/strong>\u00a0Create\u00a0a\u00a0\u201chttp_inspection_policy\u201d\u00a0to set the action for the matched traffic as shown. Click\u00a0\u201cInspection\u201d, \u201cDetails\u201d\u00a0and\u00a0\u201cAdd\u201d<\/p>\n

\"25\"<\/p>\n

24.<\/strong>\u00a0Set the action as\u00a0\u201cDrop Connection\u201d\u00a0and\u00a0\u201cEnable\u201d\u00a0the logging for the Criterion as\u00a0\u201cRequest Method\u201d\u00a0and Value as\u00a0\u201cconnect\u201d. Click\u00a0\u201cOK\u201d<\/p>\n

\"26\"<\/p>\n

25.\u00a0<\/strong>Click\u00a0\u201cAdd\u201d<\/p>\n

\"27\"<\/p>\n

26.<\/strong>\u00a0Set the action as\u00a0\u201cDrop Connection\u201d\u00a0and\u00a0\u201cEnable\u201d\u00a0the logging for the class\u00a0\u201cAppHeaderClass\u201d. Click\u00a0\u201cOK\u201d<\/p>\n

\"28\"<\/p>\n

27.<\/strong>\u00a0Click\u00a0\u201cAdd\u201d\u00a0Set the action as\u00a0\u201cReset\u201d\u00a0and\u00a0\u201cEnable\u201d\u00a0the logging for the class\u00a0\u201cBlockDomainsClass\u201d. Click\u00a0\u201cOK\u201d<\/p>\n

\"29\"<\/p>\n

28.<\/strong>\u00a0Click\u00a0\u201cAdd\u201d\u00a0Set the action as\u00a0\u201cReset\u201d\u00a0and\u00a0\u201cEnable\u201d\u00a0the logging for the class\u00a0\u201cBlockedURLsClass\u201d. Click\u00a0\u201cOK\u201d<\/p>\n

\"30\"<\/p>\n

29.<\/strong>\u00a0Once all the inspect maps have been added, Click\u00a0\u201cOK\u201d<\/p>\n

\"31\"<\/p>\n

30.<\/strong>\u00a0Click\u00a0\u201cApply\u201d\u00a0for the changes to take effect.<\/p>\n

\"32\"<\/p>\n

31.<\/strong>\u00a0Navigate to\u00a0\u201cService Policy Rules\u201d\u00a0and click\u00a0\u201cAdd\u201d\u00a0\u2013\u00a0\u201cAdd Service Policy Rule\u201d<\/p>\n

\"33\"<\/p>\n

32.<\/strong>\u00a0Select\u00a0\u201cInterface\u201d\u00a0\u2013\u201cInside-(Create new service policy\u201d, give the policy a name and click\u00a0\u201cNext\u201d<\/p>\n

\"34\"<\/p>\n

33.<\/strong>\u00a0Create a class map\u00a0\u201chttptraffic\u201d\u00a0and check the\u00a0\u201cSource and Destination IP Address
\n(uses ACL)\u201d. Click\u00a0\u201cNext\u201d.<\/p>\n

\"35\"<\/p>\n

34.<\/strong>\u00a0Choose the Source and Destination as\u00a0\u201cany\u201d\u00a0with service as\u00a0\u201ctcp\u2212udp\/http\u201d. Make sure the \u201cEnable Rule\u201d checkbox is ticked. Click\u00a0\u201cNext\u201d<\/p>\n

\"36\"<\/p>\n

35.\u00a0<\/strong>Check the\u00a0\u201cHTTP\u201d\u00a0radio button and click\u00a0\u201cConfigure\u201d<\/p>\n

\"37\"<\/p>\n

36.<\/strong>\u00a0Check the radio button Select a\u00a0\u201cHTTP\u201d\u00a0inspect map for the control over inspection
\nas shown. Click\u00a0\u201cOK\u201d.<\/p>\n

\"38\"<\/p>\n

37.<\/strong>\u00a0Click\u00a0\u201cFinish\u201d<\/p>\n

\"39\"<\/p>\n

38.<\/strong>\u00a0The Policy is now visible, we will now add an additional policy for port 8080.<\/p>\n

\"40\"<\/p>\n

39.<\/strong>\u00a0Click\u00a0\u201cAdd\u201d>\u00a0\u201cAdd Service Policy Rule\u201d.<\/p>\n

\"41\"<\/p>\n

40.<\/strong>\u00a0Click\u00a0\u201cNext\u201d<\/p>\n

\"42\"<\/p>\n

41.<\/strong>\u00a0Choose the radio button\u00a0\u201cAdd rule to existing traffic class\u201d\u00a0and choose\u00a0\u201chttptraffic\u201d\u00a0from the drop down menu. Click\u00a0\u201cNext\u201d.<\/p>\n

\"43\"<\/p>\n

42.\u00a0<\/strong>Choose the Source and Destination as\u00a0\u201cany\u201d\u00a0with\u00a0\u201ctcp\/8080\u201d. \u00a0Make sure\u00a0\u201cEnable Rule\u201d\u00a0is ticked and click\u00a0\u201cNext\u201d.<\/p>\n

\"44\"<\/p>\n

43.<\/strong>\u00a0Click\u00a0\u201cFinish\u201d<\/p>\n

\"45\"<\/p>\n

44.<\/strong>\u00a0Click\u00a0\u201cApply\u201d\u00a0to complete the configuration<\/p>\n

\"46\"<\/p>\n

45.<\/strong>\u00a0Now open a browser and test out one of the\u00a0regular expressions created earlier to see if it is blocked. In this case\u00a0\u201cBing.com\u201d\u00a0is being blocked or the traffic is being inspected and it is being dropped by our Policy.<\/p>\n

\"47\"<\/p>\n

46.<\/strong>\u00a0If we check the logging on the ASA we can see that the request to bing.com is being terminated by the inspection engine and therefore the connection is being reset. we can also see that the HTTP request matched our\u00a0\u201cBlockedDomainClass\u201d\u00a0in the\u00a0\u201chttp_inspection_policy\u201d<\/p>\n

\"48\"<\/p>\n

 <\/p>\n","protected":false},"excerpt":{"rendered":"

The Cisco ASA 5505 doesn\u2019t have a built in feature for URL filtering, nowadays most next generation firewalls will have\u00a0a URL filtering option\u00a0built in \u2013<\/p>\n","protected":false},"author":1,"featured_media":1004,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[10,6],"tags":[57,101,102,103,95],"class_list":["post-971","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cisco-firewall","category-security","tag-cisco-asa","tag-class-maps","tag-inspect-maps","tag-mpf","tag-url-filtering"],"_links":{"self":[{"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/971","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/comments?post=971"}],"version-history":[{"count":1,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/971\/revisions"}],"predecessor-version":[{"id":1020,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/971\/revisions\/1020"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/media\/1004"}],"wp:attachment":[{"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/media?parent=971"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/categories?post=971"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/tags?post=971"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}