Cisco ASA 安全设备的高级应用之URL过滤

1、实验目的：

熟悉 ASA 安全配置—过滤 URL

2、实验环境和需求

1. 在WEB上建立站点，配置DNS
2. 在ASA上配置过滤特定的URL地

3、实验拓扑图

4、配置步聚

4.1基本配置

见上篇 Cisco ASA 防火墙基本配置

4.2 在外部服务器上建好 WEB 站点，并配置 DNS 新建两个区域

4.3 在内部PC上测试能通过www.gz-benet.com.cn和www.kkgame.com 访问外部服器的WEB 站点

4.4 在ASA上配置过滤 *.kkgame.com

conf t
access-list tcp_filter2 permit tcp any any eq www
class-map tcp_filter_class2
match access-list tcp_filter2
exit
regex url2 "\.kkgame\.com"
class-map type regex match-any url_class2
match regex url2
exit
class-map type inspect http http_url_class2
match request header host regex class url_class2
exit
policy-map type inspect http http_url_policy2
class http_url_class2
drop-connection log
exit
exit
policy-map inside_http_url_policy
class tcp_filter_class2
inspect http http_url_policy2
exit
exit
service-policy inside_http_url_policy interface inside

4.5 在内部PC上测试

4.6 如果要过滤多个 URL 地址

conf t
access-list tcp_filter2 permit tcp any any eq www
class-map tcp_filter_class2
match access-list tcp_filter2
exit
regex url2 "\.kkgame\.com"
regex url3 "\.gz-benet\.com\.cn"
class-map type regex match-any url_class2
match regex url2
match regex url3
exit
class-map type inspect http http_url_class2
match request header host regex class url_class2
exit
policy-map type inspect http http_url_policy2
class http_url_class2
drop-connection log
exit
exit
policy-map inside_http_url_policy
class tcp_filter_class2
inspect http http_url_policy2
exit
exit
service-policy inside_http_url_policy interface inside

4.7 在 PC 上测试，两个地址都不能访问了