понедельник, 30 сентября 2013 г.

ASA URL Filtering

Оригинал тут - https://supportforums.cisco.com/docs/DOC-1268

Introduction

One of the ASA features is url filtering. It can be used to block or allow users from going to certain urls/websites. This article aims to educate the user on how to use this feature. After reading it carefully someone should be able to take full advantage of url filtering and use it for his needs.

In this article we will either block or allow domains in urls and words in the uri. Of course the ASA can match on other things too. They can be found in the ASA configuration guides. From now and onwards we will allow or block the cisco.com domain. In other words, any user browsing to any page that is behind cisco.com will be subject to url filtering. Such pages would be www.cisco.com/index.html or cisco.com/exampledir/page.html. Also, we will allow or block "/test/" in the uri. In other words, any page path that contains "/test/" will be url filtered. Examples are www.examplesite.com/exampledir/test/page.html or www.anyurl.com/test/examplepage.jsp or www.anything.com/onedir/seconddir/test

The mechanism used to apply url filtering is Modular Policy Framework (MPF). We will create regular expressions (regex) that will be matched in class-maps of type http. These class-maps will be used in policy-maps to define the drop action. Then the policy-maps will be applied with an http inspection in another policy-map that will be applied to an interface. In that way the http inspection action will be applied to the traffic that hits an interface.

NOTE: Though, we need to highlight that for Enterprise URL Filtering, customers should be steered toward using WebSense or N2H2 integration with the ASA. Such web filtering engines can provide much more robust filtering based on classes of sites. URL filtering directly on the ASA using regex, should be used only sparsely when broad classifications can be applied, with limited regex patterns. The ASA will not scale being used in an enterprise with large regex matches and large volumes of HTTP traffic.


Block specific urls

Lets assume that we want to block some specific websites. For example we want to block specific anything under cisco.com and uris that contain "/test/". We will create the regexes and match them in a class-map. Note that if ANY regex is matched then the class-map will actually be met. Then in the policy-map block-url-policy whatever meets the class-map (cisco.com OR uri containing "/test/") is reset. The rest are allowed (not cisco.com and not uri containing "/test/"). The policy-map block-url-policy is used for http inspection in another policy-map (global_policy) and applied with a service-policy.
 
regex blockex1 "/test/"
regex blockex2 "cisco\.com"

class-map type inspect http match-any block-url-class
 match request uri regex blockex1
 match request header host regex blockex2

policy-map type inspect http block-url-policy
 parameters
 class block-url-class
  drop-connection log
policy-map global_policy
 class inspection_default
  inspect http block-url-policy

service-policy global_policy global


вторник, 10 сентября 2013 г.

Настройка cluster Active/Standby на ASA

В кластер ASA можно собирать при наличии на каждой лицензии Security Plus. Для обмена репликациями я выделил отдельный физический интерфейс и назначить ему IP адреса. Адреса должны быть в одной подсети. Изначально Standby узел объявляет себя активным если она не получил несколько ответов от IP интерфейса, которым асы связаны между собой (где ходит репликация). Мне нужно сделать так, чтобы резервный узел включался и в том случае, если падает интерфейс Inside. Для этого на этом интерфейсе нужно прописать дополнительную конфу. Выделяем /29 сеть, даем один адрес узлу перед асой (в моем случае это L3 коммутатор), в конфиге главной асы прописываем на интерфейсе адрес, и обозначаем адрес второго узла для того, чтобы аса мониторила этот интерфейс. После этого нужно включить непосредственно сам мониторинг.

Итак, всё просто. Сначала настраиваем главный (Active) узел.

ciscoasa# conf t
ciscoasa(config)#interface GigabitEthernet0/0.30
ciscoasa(config)#vlan 30
ciscoasa(config)#nameif Inside
ciscoasa(config)#security-level 100
ciscoasa(config)#ip address 10.6.100.25 255.255.255.248 standby 10.6.100.26
ciscoasa(config)#exit
ciscoasa(config)#failover lan unit primary
ciscoasa(config)#failover lan interface failoverlink GigabitEthernet0/5
ciscoasa(config)#failover polltime unit msec 500 holdtime 2
ciscoasa(config)#failover replication http
ciscoasa(config)#failover link failoverlink GigabitEthernet0/5
ciscoasa(config)#failover interface ip failoverlink 10.6.100.41 255.255.255.252 standby 10.6.100.42
ciscoasa(config)#monitor-interface Inside