ASA firewall configuration URL filtering
1. Experimental topology diagram
2. Preparation
1. Configure the intranet DNS service
挂光盘,并配置yum源
[root@localhost ~]# hostnamectl set-hostname dns
[root@localhost ~]# bash
[root@dns ~]# yum -y install bind
[root@dns ~]# vim /etc/named.conf
Scroll down to
configure DNS zone configuration file
[root@dns ~]# cd /var/named/
[root@dns named]# cp -p named.localhost baidu
[root@dns named]# cp -p named.localhost youxi
[root@dns named]# vim baidu
[root@dns named]# vim youxi
[root@dns named]# systemctl start named #开启DNS服务
Precautions:
- DNS server wants to point DNS to itself
- Win7 client needs to point DNS to DNS server
Use the client to verify whether the domain name can be resolved
2. Configure the external web host
挂光盘,并配置yum源
Configuration on baidu:
[root@localhost ~]# hostnamectl set-hostname baidu
[root@localhost ~]# bash
[root@baidu ~]# yum -y install httpd
[root@baidu ~]# echo "This is baidu.com" > /var/www/html/index.html
[root@baidu ~]# echo "ServerName www.baidu.com" >> /etc/httpd/conf/httpd.conf
[root@baidu ~]# systemctl start httpd
Configuration on youxi:
[root@localhost ~]# hostnamectl set-hostname youxi
[root@localhost ~]# bash
[root@youxi ~]# yum -y install httpd
[root@youxi ~]# echo "This is youxi.com" > /var/www/html/index.html
[root@youxi ~]# echo "ServerName www.youxi.com" >> /etc/httpd/conf/httpd.conf
[root@youxi ~]# systemctl start httpd
3. Configure the ASA firewall
ciscoasa> en
ciscoasa# conf t
ciscoasa(config)# hostname ASA #配置主机名
E0 / 0
ASA(config)# int e0/0
ASA(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ASA(config-if)# security-level 100
ASA(config-if)# ip add 192.168.1.254 255.255.255.0
ASA(config-if)# no sh
Ctrl+C
ASA# ping 192.168.1.5 #测试和内网主机连通性
ASA# ping 192.168.1.1
E0 / 1
ASA# conf t
ASA(config)# int e0/1
ASA(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
ASA(config-if)# security-level 0
ASA(config-if)# ip add 192.168.100.254 255.255.255.0
ASA(config-if)# no sh
Ctrl+C
ASA# ping 192.168.100.1 #测试和外网主机连通性
ASA# ping 192.168.100.2
4. Use client access authentication
It can be seen that both domains can be accessed now, but we only want the intranet to visit www.baidu.com. At this time, we can achieve this by configuring URL filtering;
Three, ASA firewall configuration URL filtering
1. Create a Class-map to identify transmission traffic
- Create an ACL named aaa; allow the 192.168.1.0 network segment to access all www services on the external network
ASA# conf t
ASA(config)# ASA(config)# access-list aaa permit tcp 192.168.1.0 255.255.255.0 any eq www
- Create a class map named "zhangsan", and then enter the sub-mode
ASA(config)# class-map zhangsan
- Bring the allowed traffic in the ACL just created in the class map
ASA(config-cmap)# match access-list aaa
ASA(config-cmap)# exit #第一个映射创建完,退出到全局模式
- Created a regular expression named "URL1", the recognized extension is ".youxi.com"
ASA(config)# regex URL1 "\.youxi\.com"
- Created a class map with the name "bbb" and the type "identifying any traffic"
ASA(config)# class-map type regex match-any bbb
- Bring the regular expression "URL1" just created into the current class mapping
ASA(config-cmap)# match regex URL1
ASA(config-cmap)# exit #第二个类映射完成,该类映射是用来识别扩展名
- Create a class map with a name of "ccc" and a type of traffic identifying "http"
ASA(config)# class-map type inspect http ccc'
- Bring the type of mapping whose url extension is ".youxi.com" in the header of the http request message into the current mapping
ASA(config-cmap)# match request header host regex class bbb
ASA(config-cmap)# exit #第三个类映射结束
2. Create a strategy map, associated class map
- Created a policy map with the name p-aaa and the type to identify "http" traffic
ASA(config)# policy-map type inspect http p-aaa
- Call the ccc class map you just created to the current strategy map
ASA(config-pmap)# class ccc
- Close the connection for the traffic just identified and record it in the log
ASA(config-pmap-c)# drop-connection log
ASA(config-pmap-c)# exit
ASA(config-pmap)# exit #退出,第一个策略映射完成
- Create a policy map named "p-bbb"
ASA(config)# policy-map p-bbb
- Call the "zhangsan" class mapping created earlier to identify the transmission traffic
ASA(config-pmap)# class zhangsan
- Check http traffic and bring the first strategy map into the current strategy map
ASA(config-pmap-c)# inspect http p-aaa
ASA(config-pmap-c)# exit
ASA(config-pmap)# exit #退出,第二个策略映射结束
3. Use the final policy mapping p-bbb on the inside interface of the ASA
ASA(config)# service-policy p-bbb interface inside
Note: Only one policy-map can be used for an interface
4. Use the client to access the test
You can see that baidu can be accessed normally, but youxi can’t, because we just did URL filtering and filtered out youxi