ASA防火墙实现对域名URL过滤



ASA防火墙实现对域名URL过滤

ASA完全可以实现WEB URL的过滤,并且我在昨天已经对这个过滤案例进行测试了。 让他们在的CMCC ASA URL 性能测
试中进行测试, 我们也达到的很好的效果. 因此在一些简单的应用环境中是没有必要一定结合专用URL 过滤服务器进行URL过滤的,我们的ASA 完全独立可以实现! 
我Outside接口地址为私网地址为10.100.3.144,出口路由器网关地址为10.100.3.1,出口路由器进行地址翻译。
由于Inside地址也为私网地址192.168.1.1,所以我在Asa防火墙将该私网地址192.168.1.0网段地址进行翻译为我Outside接口地址。
具体配置如下:
ASA Version 8.0(2)
!
hostname AsaFirewall
domain-name abc.com
names
!
interface Ethernet0/0
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/1
nameif outside
security-level 0
ip address 10.100.3.144 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address


regex urllist1 ".*\.([Ee][Xx][Ee]|[Cc][Oo][Mm]|[Bb][Aa][Tt]) HTTP/1.[01]"
regex urllist2 ".*\.([Pp][Ii][Ff]|[Vv][Bb][Ss]|[Ww][Ss][Hh]) HTTP/1.[01]"
regex urllist3 ".*\.([Dd][Oo][Cc]|[Xx][Ll][Ss]|[Pp][Pp][Tt]) HTTP/1.[01]"
regex urllist4 ".*\.([Zz][Ii][Pp]|[Tt][Aa][Rr]|[Tt][Gg][Zz]) HTTP/1.[01]"
regex domainlist1 "\.yahoo\.com"
regex domainlist2 "\.myspace\.com"
regex domainlist3 "\.youtube\.com"
regex applicationheader "application/.*"
regex contenttype "Content-Type"



ftp mode passive
dns server-group DefaultDNS
domain-name abc.com
access-list inside_mpc extended permit tcp any any eq www
access-list inside_mpc extended permit tcp any any eq 8080
access-list 101 extended permit ip any any
pager lines 24
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group 101 in interface inside
access-group 101 out interface inside
access-group 101 in interface outside
access-group 101 out interface outside
route outside 0.0.0.0 0.0.0.0 10.100.3.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 outside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!



class-map type regex match-any DomainBlockList
match regex domainlist1
match regex domainlist2
match regex domainlist3

class-map type inspect http match-all BlockDomainsClass
match request header host regex class DomainBlockList

class-map type regex match-any URLBlockList
match regex urllist1
match regex urllist2
match regex urllist3
match regex urllist4

class-map inspection_default
match default-inspection-traffic

class-map type inspect http match-all AppHeaderClass
match response header regex contenttype regex applicationheader

class-map httptraffic
match access-list inside_mpc

class-map type inspect http match-all BlockURLsClass
match request uri regex class URLBlockList
!




!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512


policy-map type inspect http http_inspection_policy
parameters
  protocol-violation action drop-connection
class AppHeaderClass
  drop-connection log
match request method connect
  drop-connection log
class BlockDomainsClass
  reset log
class BlockURLsClass
  reset log

policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp

policy-map inside-policy
class httptraffic
  inspect http http_inspection_policy
!
service-policy global_policy global
service-policy inside-policy interface inside

你可能感兴趣的:(职场,休闲,asa,url过滤)