ASA url registration

Hello

I try to make our ASA journal URL and I'm getting some successes. However, the present output IP address instead of the real domain, for example, when you browse on imdb, he is recorded as:

November 16, 2009 14:12:35: % ASA-5-304001: 30.30.30.30 consulted the URL 209.85.229.148:/ad

j/imdb2. Consumer.homepage /; TILE = 2; SZ = 468 x 60, 728 x 90, 1008 x 150, 9 x 1; p = t; s = 32; o RD = 99

73051011677648

instead of imdb.com. (or something like that happens to be).

How the ASA to log the area rather than the corresponding IP address?

http://www.Cisco.com/en/us/products/ps6128/products_configuration_example09186a0080ac2fda.shtml#related

says the ASA needs to run to 8.0.4.24 or later, our 8.2 (1).

Thank you

Scott

Well, I spoke too soon. Here's a way to connect all of the query, with host and URI. I found this on CCIE_Security Archives of the mailing list. Basically, define you a regular expression to match the sites that you want to open a session. I used a simple point "." to match anything.

regex matchall "."

!

class-map type regex match-any DomainLogList

match regex matchall

class-map type inspect http match-all LogDomainsClass

match request header host regex class DomainLogList

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect http http_inspection_policy

parameters

class LogDomainsClass

  log

Then check your record:

20 Nov 09:27:08 10.19.30.10 asa % ASA-5-304001: 192.168.200.2 URL Accessed 157.166.255.19:http://cnn.com/
20 Nov 09:27:08 10.19.30.10 asa % ASA-5-304001: 192.168.200.2 URL Accessed 157.166.226.26:http://www.cnn.com/
20 Nov 09:27:08 10.19.30.10 asa % ASA-5-304001: 192.168.200.2 URL Accessed 198.78.220.126:http://i.cdn.turner.com/cnn/.element/css/3.0/common.css
20 Nov 09:27:08 10.19.30.10 asa % ASA-5-304001: 192.168.200.2 URL Accessed 198.78.220.126:http://i.cdn.turner.com/cnn/.element/css/3.0/main.css

Caution - This saves each HTTP request that sees the ASA. I have no idea how much charge this implies an ASA with the important HTTP traffic. As described in the post of the related mailing list, you can create more specific lists of regex to match specific hosts and/or URIs and can take measures other than logging, including blocking/resetting.

Tags: Cisco Security

Similar Questions

  • Cisco ASA url filtering

    I have cisco ASA 5515 and it works fine. Now, I want to activate the url filtering so that I can filter websites such as facebook, youtube, torrents and so on. I don't have the license for filtering url, and in accordance with the document of cisco, he said that we have no need for this from the url filtering license. So how can I block them?

    Hello

    Yes, certainly, please visit this link:

    http://www.Cisco.com/c/en/us/support/docs/security/ASA-5500-x-series-NEX...

    Kind regards

    Aditya

    Please evaluate the useful messages and mark the correct answers.

  • Filtering on ASA URL tunnel through

    Hello

    IAM can't put this thread in which section firewall or vpn. I want to know if we can set up the filtering of URLS with websense through the VPN. If so, how can do us the same thing and if we can do it for the two site to site and remote access? Let's take an example with websense on the ASA1 DMZ. Now, if Site 2 wants to send to all of its users to 1 Site for the URL filtering, then back it out with its (ASA1) internet (with the external interface ASA1) is it possible?

    (192.168.3.0) Site1 - ASA1 - VPN - ASA2 - Site 2 (10.22.22.0)

    Jayesh salvation,

    (192.168.3.0) Site1 - ASA1 - VPN - ASA2 - Site 2 (10.22.22.0)

    Now I see 2 ways to apply:

    (1) URL filtering config on ASA1: with this configured and also the ASA2 configured to send all internet traffic also to ASA1, when the ASA1 sees the initial GET to a site request, it forwards the request to the time the URL-filling server and the web server. Now, when the web server responds to this request, the ASA1 will decide to drop or before it based on the response from the websense server.

    (2) URL filtering config on ASA2: once again with this configured and also the the ASA2 configured to send all internet traffic also to ASA1, when the ASA2 sees the initial GET request, it will send traffic to the server on the DMZ ASA1 more url filtering web server. Please note that this query to the websense Server package, will have a source IP address of the external interface and destination IP of the server filter URL ASA2. We must therefore ensure that the 2 following things:

    ++ the ACL on ASA2 crypto includes an entry of external interface IP of ASA2 at the DMZ IP of the websense server and vice versa on ASA1.

    ++ an exemption nat configured on the DMZ ASA1 (acl pointing to the DMZ IP of websense server to the external IP of the ASA2).

    In this case labour will be similar. When ASA2 sees the server'sw web to answer the first GET request, decide to drop ot or transmit it on the client based on the response of the websense.

    Please let me know if that clarifies things.

    See you soon,.

    Assia

  • Subscription URL parameters

    This thread: http://supportforums.blackberry.com/t5/BlackBerry-Push-Development/question-about-Content-Provider-U...

    I see I must submit the service id (application), version of the os, model of URL registration BPA http://pushapi.eval.blackberry.com/mss/PD_subReg

    But is that all we have? Do we not have to introduce BlackBerry subscriber PIN too? What else do we submit?

    I am developing a stand-alone c# server and I do not see the code of source BPSS. Sorry if the question is a bit lame.

    more than 2 questions: what is the URL of radiation? and what are the parameters that should be passed?

    Yep

    1st call:

    https://pushapi.Eval.BlackBerry.com/MSS/PD_subReg? serviceid = xxxx & osversion = yyyy & model = zzzz

    Retrieve the param = ssss code back as a response.

    2nd call:

    https://pushapi.Eval.BlackBerry.com/MSS/PD_subReg? serviceid = xxxx & osversion = yyyy & model = zzzz & param = Scott

    There is no username and password requried to register with the BlackBerry Service to push. They recommend that you need and that you use and the name of user and password when the registry of the user with the server (content provider) to subscribe.

    Because the registration application through the BIS navigation cluster within the infrastructure of the RIM, they can get the packages PIN low level between the device and the infrastructure of the RIM. You need not deal with PIN in a subscription to the BlackBerry Service to push under your HTTP calls. As I said, when your user name to subscribe s with your server, then you would put the PIN in the HTTP request as another HTTP request setting so that you know which PIN to place you application server-side.

  • URL of registration does not

    Did someone else who publishes with a URL for registration? She used to work well, but now the URL does not open the course!

    https://iTunesU.iTunes.Apple.com/enroll/DNR-CYF-YND

    Any ideas appreciated!

    OK, I just generated a new code and is now working! Asked the question and worked on the answer at once! I hope this helps someone :)

  • ASA IPS Signature unsuccessfully URL

    I want to update the signatures of ASA IPS by proxy. What are the destination URL I need to allow my proxy?

    I think www.cisco.com and dl.cisco.com should cover. The first has the metadata and the second is the source of the real signature files.

    Those are the two sites whose certificates in Cisco Security Manager, you must accept during the installation for the IPS signature updates.

  • ASA - logging URL enter WebVPN

    We have a Cisco ASA and use it for multiple WebVPN (aka SSL VPN) connections.

    Based on the URL, they are placed in different profiles of group. For example https://asa.mydomain.com/test will put them in the Test connection profile, while https://asa.mydomain.com/prod is put in the Prod connection profile.

    It works very well, however, we would like to be able to connect (ASA journal) the exact URL used to start their user session. Is this possible?

    It is not possible. If I had to guess without seeing your config, you use only group URL rather than the alias and the drop-down selection list. In a case like this, users accessing the FQDN such as http://vpn.yourcompany.com uses by default the connection DefaultWebVPNGroup profile. If there is no limit session configured on this policy and authentication is configured the same, then the user may access. You can use the DefaultWebVPNGroup as a catch all and set the concurrent connection to 0 in the policy to restrict access. A better approach would be to seek locking group.

  • Registration of URLS for comments using comments anchor traffic and ISE

    Hi all, there

    I am looking for a solution by which I can connect information URL to the users wireless invited to ISE. The anchor THAT WLC is located in a DMZ behind the ASA and the ISE is on the internal network. I found this document (see LINK below), which is similar but using a comment of the NAC server and not an ISE.

    I wonder if someone managed to do it using ISE?

    http://www.Cisco.com/en/us/products/ps6128/products_configuration_example09186a0080ac2fda.shtml#wlcc

    Hello. I have this script successfully work. The only thing different from the configuration of the supplied link, it's that you must specify the port UDP 20514. Refer to the following line:

    host of logging inside the 192.168.215.16 17/20514

    Here the number 17 means UDP and the 20514 number is the port number.

    Please rate if this can help

  • ASA, blocking long URL access

    Hi Forum,

    I can't seem to find an answer to my ASA blocks access to long URL. below is the only http filtering configurations I can find on my firewall. What is the default settings? How can I activate it, y at - there a better way?

    I use ASA5500.

    Thank you very much

    Paul

    http-map inbound_http

    content-length min 100 max 2000 action open

    content-type-checking match-req-rsp action open

    allow the action header-MaxLength request 100

    Open the max-uri-length 100 action

    You have any filter http commands and orders url server configured? If so, there is an option to truncate long URLS.

    In addition, bugs seem to exist in the http inspection engine in versions after 7.1 (2). Try to disable the http inspection and see if the problem goes away.

    Andrew

  • ASA: webvpn: Group-url command

    Hell

    I don't know how the Group-url command doesn't work. Order reference:

    "Specifying a group URL or IP address eliminates the need for the user to select a group when connecting. When a user connects, the Adaptive security apparatus seeks URL/address of the user entering the tunnel group strategy table.

    When I type:

    ASA - 1(config-tunnel-WebVPN) # enable Group-url https://100.60.10.100/ssl

    What does the ASA? Compare the source_ip from the customer with this IP and HTTP request to check if there is "ssl" in ULR and only if the two matches with this configuration links this user to this group of tunnel?

    What happens if I type:

    ASA - 1(config-tunnel-WebVPN) # enable Group-url https://www.cisco.com/ssl

    that ASA exactly looking for this command?

    Thanx

    Group-url is another way to give users the right tunnel-group and political party. It is also configured under the params webvpn of the tunnel group. You must specify a url for each group of tunnel.

    When applications for WebVPN comes to ASA through the WebVPN active interface and if the URL matches anyone in the Group url configured in the tunnel-group, this group of tunnel is used to the WebVPN.

    It can be done in two ways, either mention the IP address or FULL domain name.

    Thank you

    Ajay

  • ASA and group URL

    So I have the need to provide two SSL VPN environments for two different clients on the same ASA 5510 appliance.  Can I create two group policies, each with a group unique url and then assign a certificate corresponding to the Group url?  From the point of view of the intellectual property, they would all be hitting the same outside IP address.

    Ex:

    Group_policy: customer

    Group URL: https://remote.customera.com

    SSL certificate: remote.customera.com

    Group_policy: CustomerB

    Group URL: https://remote.customerb.com

    SSL certificate: remote.customerb.com

    Thank you!

    -Craig

    Hey Craig,.

    On your request, let me divide 2 parts:

    1. can you use 2 different urls on the SAA for two separate connection profiles

    2. can you use 2 separate certificates to validate the two URLS

    Regarding your first question, yes it is possible. You will need to create 2 separate group policy and 2 connection profiles Tunnel aka groups. Under each tunnel group define a separate url group and assign the corresponding group policy. Your configuration might look like this:

    In-house strategy group customer ASA (config) #.
    Strategy of customer attributes group ASA (config) #.

    .

    .

    .

    (to configure the respective attribute)

    ASA (config) # Tunnel - group customer type remote access
    ASA (config) # Tunnel - group customer General attributes
    ASA(config-tunnel-General) # by default-group-policy customer

    ASA (config) # tunnel - group customer webvpn-attributes

    ASA(config-tunnel-WebVPN) # group - url https://ASA1/remote.customera.com

    Repeat the steps above and replace "customer" by "CustomerB".

    As for your second question, you can only configure a trustpoint to be used with a single interface. If you do one of the following:

    1. get a UCC (Unified Client certificate) to your ASA:

    Get a UCC with multiple CNs / without (Subject Alternative Name extensions) for each domain COMPLETE/IP ASA. If you need a certificate of the UCC with CN to FQDN or IP and no master for each SAA: ASA-1 FQDN or IP, ASA-2 FULL FQDN or IP domain name and so on. Several suppliers PKI/certificates are supported entrust.com, verisign, UCC:godaddy.com, etc.

    Note: the ASA cannot generate a certificate request (CSR) signature with multiple WITHOUT (CSCso70867 is development requesting this capability), so you must be the seller of the PKI to submit the entry for you.

    ASA set a trustpoint "and Install/import the UCC certifcate in this trustpoint. Bind this trustpoint to the external interface.

    2 OR a certificate with wildcards. Generic certificates are discouraged in favour of the UUC certs. According to a seller, Entrust, these are the 2 main reasons:

    1. UCC is more secure than Wildcard certificates since Entrust UC Certificates specify exactly the hosts and domains must be protected
    2. UCC is more flexible than Wildcard certificates since Entrust UC certificates are not limited to a single domain

    I hope this helps.

    Kind regards

    ATRI

  • What is registration (URL to access the connection) for catalyst Partner Portal?

    What is registration (URL to access the connection) for catalyst Partner Portal?

    http://www.BusinessCatalyst.com/Admin/index.aspx?to=PartnerPortal

  • ASA 5555 X with power Module of fire and redirect URL to WSA

    My question is related to the flow of traffic with an ASA 5555 X with the power of fire services module and a WCCP redirect a device of the WSA.

    I think that the traffic flow should occur such as:

    Traffic http--> ASA--> FP IPS--> WCCP in the WSA Proxy--> (Internet cloud)

    In this way the IPS could identify all customers before traffic hits the Proxy of the WSA.

    So the question is, is the policy of Service on the SAA get processed before the WCCP redirect? Is - this configurable? Or the ASA deals the WCCP redirect before the Service policy routing traffic through the ASA?

    Y at - it guides that go into the details of this scenario?

    Thank you

    David

    David,

    There is no plan to join WSA ASA/power of fire or FTD. Each has strengths and treats the customers with different requirements.

    WSA like you know offer customization deep and rich reports or web filtering. However, it is limited to http/80 and https/443. Firepower is an easy solution if you already use it for NGIPS and/or Malware protection. It lacks some of the features of the ASO reporting (although FMC can be highly customized if you dig deep).

    There are also OpenDNS to consider whether it's capabilities are calls for you.

  • ASA 5510 - display block URL Page

    Dear,

    I have Cisco ASA 5510, I have already configured Block_Sites using regular expressions and it works fine. I need to display a Page blocked for any one trying to access blocked sites. Example: I need to display page contains our company Logo and less it shows that "the Site is blocked.

    I can do it on Cisco ASA 5510?

    Thank you

    No, the ASA alone cannot do. To do this, you need a will end UP with appropriate license or a proxy (such as the WSA).

  • ASA like that - web address for registration

    Hello

    I installed CA on SAA and generated / e-mail OTP.

    What is ASA web page address users must enter to get the cert? (I can't find this information in the doc)

    Kind regards

    Friend,

    Refer to this document

    http://blog.ipexpert.com/2010/07/28/ASA-local-CA-server/

    Kind regards

    Anton

    Sent by Cisco Support technique iPad App

Maybe you are looking for