ASA URL Filtering Configuration Example
To filter traffic has these advantages:
· It can help reduce security risks and prevent inappropriate usage.
· It can provide greater control over the traffic that passes through the security appliance.
Note: Because URL filtering is CPU−intensive, the use of an external filtering server ensures that the throughput of other traffic is not affected. However, based on the speed of your network and the capacity of your URL filtering server, the time required for the initial connection can be noticeably slower when traffic is filtered with an external filtering server.
You can filter connection requests that originate from a more secure network to a less secure network. Although you can use access control lists (ACLs) in order to prevent outbound access to specific content servers, it is difficult to manage usage this way because of the size and dynamic nature of the Internet. You can simplify configuration and improve security appliance performance with the use of a separate server that runs one of these Internet filtering products:
· Websense Enterprise_filters HTTP, HTTPS, and FTP. It is supported by PIX firewall version 5.3 and later.
· Secure Computing SmartFilter, formerly known as N2H2_filters HTTP, HTTPS, FTP, and long URL filtering. It is supported by PIX firewall version 6.2 and later.
In this example, the URL filtering server is located in a DMZ network. End users located inside the network try to access the web server located outside the network over the Internet.
These steps are completed during the user request for the web server:
1. The end user browses to a page on the web server, and the browser sends an HTTP request.
After the security appliance receives this request, it forwards the request to the web server and
simultaneously extracts the URL and sends a look−up request to the URL filtering server.
2. After the URL filtering server receives the look−up request, it checks its database in order to
determine whether to permit or deny the URL. It returns a permit or deny status with a look−up
response to the Cisco IOS® firewall.
3.The security appliance receives this look−up response and performs one of these functions:
¨ If the look−up response permits the URL, it sends the HTTP response to the end user.
If the look−up response denies the URL, the URL filtering server redirects the user to its own
internal web server, which displays a message that describes the category under which the
URL is blocked. Thereafter, the connection is reset on both ends.
¨
4.Identify the Filtering Server
· You need to identify the address of the filtering server with the url−servercommand. You must use the appropriate form of this command based on the type of filtering server you use.
Note: For software version 7.x and later, you can identify up to four filtering servers for each context. The security appliance uses the servers in order until a server responds. You can only configure a single type of server, either Websense or N2H2, in your configuration.
Websense
Websense is a third−party filtering software that can filter HTTP requests on the basis of these policies:
· destination hostname
· destination IP address
· keywords
· user name
Software version 7.x and later:
pix(config)# url−server (if_name) host local_ip [timeout seconds] [protocol TCP | UDP [connections num_conns] ]
Replace if_name with the name of the security appliance interface that is connected to the filtering server. The default is inside. Replace local_ip with the IP address of the filtering server. Replace seconds with the number of seconds the security appliance must continue to try to connect to the filtering server.
Use the protocol option in order to specify whether you want to use TCP or UDP. With a Websense server, you can also specify the version of TCP you want to use. TCP version 1 is the default. TCP version 4 allows the PIX firewall to send authenticated user names and URL logging information to the Websense server if the PIX firewall has already authenticated the user.
For example, in order to identify a single Websense filtering server, issue this command:
hostname(config)#url−server (DMZ) vendor websense host 192.168.15.15 protocol TCP version 4
Secure Computing SmartFilter
Software version 7.2 and later:
hostname(config)#url−server (if_name) vendor {secure−computing | n2h2} host <local_ip>
[port <number>] [timeout <seconds>] [protocol {TCP [connections <number>]} | UDP]
For the vendor {secure−computing | n2h2}, you can use secure−computing as a
vendor string. However, n2h2 is acceptable for backward compatibility. When the configuration
entries are generated, secure−computing is saved as the vendor string.
· Replace if_name with the name of the security appliance interface that is connected to the filtering server. The default is inside. Replace local_ip with the IP address of the filtering server and port <number> with the desired port number.
Note: The default port used by the Secure Computing SmartFilter server to communicate with the security appliance with TCP or UDP is port 4005.
Replace seconds with the number of seconds the security appliance must continue to try to connect to the filtering server. Use the protocol option in order to specify whether you want to use TCP or UDP.
The connections <number> is the number of times to attempt to make a connection between the host and server.
For example, in order to identify a single N2H2 filtering server, issue this command:
hostname(config)#url−server (DMZ) vendor n2h2 host 192.168.15.15 port 4444 timeout 45 protocol tcp connections 10
Or, if you want to use default values, issue this command:
hostname(config)#url−server (DMZ) vendor n2h2 host 192.168.15.15
Configuration :-
ciscoasa#show running−config
: Saved
:
ASA Version 8.0(2)
!
hostname ciscoasa
domain−name Security.lab.com
enable password 2kxsYuz/BehvglCF encrypted
no names
dns−guard
!
interface GigabitEthernet0/0
speed 100
duplex full
nameif outside
security−level 0
ip address 172.30.21.222 255.255.255.0
!
interface GigabitEthernet0/1
description INSIDE
nameif inside
security−level 100
ip address 192.168.5.11 255.255.255.0
!
interface GigabitEthernet0/2
description LAN/STATE Failover Interface
shutdown
!
interface GigabitEthernet0/3
description DMZ
nameif DMZ
security−level 50
ip address 192.168.15.1 255.255.255.0
!
interface Management0/0
no nameif
no security−level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/asa802−k8.bin
ftp mode passive
clock timezone CST −6
clock summer−time CDT recurring
dns server−group DefaultDNS
domain−name Security.lab.com
same−security−traffic permit intra−interface
pager lines 20
logging enable
logging buffer−size 40000
logging asdm−buffer−size 200
logging monitor debugging
logging buffered informational
logging trap warnings
logging asdm informational
logging mail debugging
logging from−address aaa@cisco.com
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
no failover
failover lan unit primary
failover lan interface interface GigabitEthernet0/2
failover link interface GigabitEthernet0/2
no monitor−interface outside
icmp unreachable rate−limit 1 burst−size 1
asdm image disk0:/asdm−602.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 172.30.21.244 1
timeout xlate 3:00:00
timeout conn 1:00:00 half−closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp−pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip−invite 0:03:00 sip−disconnect 0:02:00
timeout uauth 0:05:00 absolute
ldap attribute−map tomtom
dynamic−access−policy−record DfltAccessPolicy
url−server (DMZ) vendor websense host 192.168.15.15 timeout 30 protocol TCP version 1 connections url−cache dst 100
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authentication telnet console LOCAL
filter url except 192.168.5.5 255.255.255.255 172.30.21.99 255.255.255.255
filter url http 192.168.5.0 255.255.255.0 172.30.21.99 255.255.255.255 allow
proxy−block longurl−truncate cgi−truncate
http server enable
http 172.30.0.0 255.255.0.0 outside
no snmp−server location
no snmp−server contact
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
console timeout 0
management−access inside
dhcpd address 192.168.5.12−192.168.5.20 inside
dhcpd enable inside
!
threat−detection basic−threat
threat−detection statistics access−list
!
class−map inspection_default
match default−inspection−traffic
!
!
policy−map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service−policy global_policy global
url−block url−mempool 2
url−block url−size 2
url−block block 10
username fwadmin password aDRVKThrSs46pTjG encrypted privilege 15
prompt hostname context
Cryptochecksum:db208a243faa71f9b3e92491a6ed2105
: end