ASA完全可以实现WEB URL的过滤,并且我在昨天已经对这个过滤案例进行测试了。 让他们在的CMCC ASA URL 性能测试中进行测试, 我们也达到的很好的效果。 因此在一些简单的应用环境中是没有必要一定结合专用URL 过滤服务器进行URL过滤的,我们的ASA 完全独立可以实现!
我Outside接口地址为私网地址为10.100.3.144,出口路由器网关地址为10.100.3.1,出口路由器进行地址翻译。
由于Inside地址也为私网地址192.168.1.1,所以我在Asa防火墙将该私网地址192.168.1.0网段地址进行翻译为我Outside接口地址。
具体配置如下:ASA Version 8.0(2)!
hostname AsaFirewall domain-name abc.com names!
interface Ethernet0/0 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0!
interface Ethernet0/1 nameif outside security-level 0 ip address 10.100.3.144 255.255.255.0!
interface Ethernet0/2 shutdown no nameif no security-level no ip address
regex urllist1 ".*\.([Ee][Xx][Ee]|[Cc][Oo][Mm]|[Bb][Aa][Tt]) HTTP/1.[01]" regex urllist2 ".*\.([Pp][Ii][Ff]|[Vv][Bb][Ss]|[Ww][Ss][Hh]) HTTP/1.[01]" regex urllist3 ".*\.([Dd][Oo][Cc]|[Xx][Ll][Ss]|[Pp][Pp][Tt]) HTTP/1.[01]" regex urllist4 ".*\.([Zz][Ii][Pp]|[Tt][Aa][Rr]|[Tt][Gg][Zz]) HTTP/1.[01]" regex domainlist1 "\.yahoo\.com" regex domainlist2 "\.myspace\.com" regex domainlist3 "\.youtube\.com" regex applicationheader "application/.*" regex contenttype "Content-Type"
ftp mode passive dns server-group DefaultDNS domain-name abc.com access-list inside_mpc extended permit tcp any any eq www access-list inside_mpc extended permit tcp any any eq 8080 access-list 101 extended permit ip any any pager lines 24 mtu inside 1500 mtu outside 1500 no failover icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 access-group 101 in interface inside access-group 101 out interface inside access-group 101 in interface outside access-group 101 out interface outside route outside 0.0.0.0 0.0.0.0 10.100.3.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout uauth 0:05:00 absolute dynamic-access-policy-record DfltAccessPolicy http server enable http 0.0.0.0 0.0.0.0 outside http 0.0.0.0 0.0.0.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart no crypto isakmp nat-traversal telnet 0.0.0.0 0.0.0.0 inside telnet timeout 5 ssh timeout 5 console timeout 0 threat-detection basic-threat threat-detection statistics access-list!
class-map type regex match-any DomainBlockList match regex domainlist1 match regex domainlist2 match regex domainlist3
class-map type inspect http match-all BlockDomainsClass match request header host regex class DomainBlockList
class-map type regex match-any URLBlockList match regex urllist1 match regex urllist2 match regex urllist3 match regex urllist4
class-map inspection_default match default-inspection-traffic
class-map type inspect http match-all AppHeaderClass match response header regex contenttype regex applicationheader
class-map httptraffic match access-list inside_mpc
class-map type inspect http match-all BlockURLsClass match request uri regex class URLBlockList!
!
policy-map type inspect dns preset_dns_map parameters message-length maximum 512
policy-map type inspect http http_inspection_policy parameters protocol-violation action drop-connection class AppHeaderClass drop-connection log match request method connect drop-connection log class BlockDomainsClass reset log class BlockURLsClass reset log
policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp
policy-map inside-policy class httptraffic inspect http http_inspection_policy!
service-policy global_policy global service-policy inside-policy interface inside
【责编:eric】
相关文章
编辑推荐
相关资源
文章评论
专题推荐
今日更新
认证培训
频道精选
佚名
2011-12-29 11:56:41
