I realized I have under utilized my ASA5505 at home, I actually ignored the fact that it can do layer7 inspection as well. I bumped into a post in Cisco support forum where a user requested “step-by-step configuration” to block user to download from the web. I had never done it before, so I searched for solution from the web and eventually replied him (perhaps he had already found the solution, which was great if he did.).
There are many configuration guides that showed user how to access the internet right away with their ASA but very few (there are some nice posts) posts showed how blocking and URL filtering is done. I did a research a found a Cisco documentation which guides user through the process, of course the rest is up to user’s ability to apply the configuration in all types of url filtering requirement.
ASA has great built-in help
Some of you may not know this but I believe many of you do, that is Cisco ASA provides help with configuration examples and detailed documentation which is the same as the Linux MAN pages. Here’s an example:
cyruslab(config)# help regex
USAGE:
[no] regex <regex_name> <regex_pattern>
clear configure regex
show running-config [all] regex
DESCRIPTION:
regex Configure a regular expression
SYNTAX:
<regex_name> Name for the regular expression;
up to 40 characters.
<regex_pattern> A string defining a regular expression
up to 100 characters. Spaces are allowed
if the regular expression is enclosed with '"'.
A regular expression consists of alphanumeric
characters and meta-characters. The following table
shows the definition of the meta characters:
? Question mark Repeat 0 or 1 times
* Asterisk Repeat 0 or more times
+ Plus Repeat 1 or more times
{x} Repeat quantifier Repeat exactly x times
{x,} Minimum repeat quantifier Repeat at least x times
. Dot Any one character
[abc] Character class Any character listed
[^abc] Negated character class Any character NOT listed
[a-z] Character range class Any character listed
inclusively in range
| Alternation Matches either expression
it separates
^ Caret Beginning of line
\ Escaped character When char is a meta-
character, matches
the literal character
char Character When char is not a meta-
character, matches the
literal char
\r Carriage Return Matches CR (0x0D)
\n Newline Matches NL (0x0A)
\t Tab Matches tab (0x09)
\f Formfeed matches formfeed (0x0C)
\xNN Escaped hex character Matches character with
hexadecimal code 0xNN
(0<=N<=F)
\NNN Escaped octal character Matches character with
octal code NNN (0<=N<=7)
(expr) Expression class An expression itself
which can be repeated
ALSO SEE: test
cyruslab(config)#
This help is the same as the Cisco guide, you can use help command to understand how commands are used anytime, and it is not shameful to use it 🙂
Security policy requirements
Your customer requests that inside hosts should only surf the web and should not download contents with extensions: zip, 7z, tgz, tar (tar.gz, tar.bz2), pdf, exe, vbs, vba, doc, xls, ppt, odt.
Classify the types of extensions
You decided to classify these extensions into meaningful extension names for consistency and readability.
archive-type: zip, tgz, tar, 7z
doc-type: doc, xls, ppt, pdf, odt
exe-type: exe, vbs, vba
Create regex for each type
regex archive-type1 ".*\.([Zz][Ii][Pp]|[Tt][Aa][Rr]|[Tt][Gg][Zz]) HTTP/1.[01]"
regex archive-type2 ".*\.([Tt][Aa][Rr].([Gg][Zz]|[Bb][Zz]2)|7[Zz]) HTTP/1.[01]"
regex doc-type1 ".*\.([Dd][Oo][Cc]|[Xx][Ll][Ss]|([Pp]){2}[Tt]) HTTP/1.[01]"
regex doc-type2 ".*\.([Pp][Dd][Ff]|[Oo][Dd][Tt]) HTTP/1.[01]"
regex exe-type1 ".*\.([Ee][Xx][Ee]|[Vv][Bb][Ss]|[Vv][Bb][Aa]) HTTP/1.[01]"
Create regex for Content-Type Application/*
Refer to this link for Content-Type.
regex application-header "application/*" regex content-type "Content-Type"
Classify regex that matches the extension types
class-map type regex match-any ext-types match regex doc-type1 match regex doc-type2 match regex archive-type2 match regex archive-type1 match regex exe-type1
Capture the http response that contains content-type and application/* header
class-map type inspect http match-all http-header-response match response header regex content-type regex application-header
Capture http request packet that matches the class ext-types
class-map type inspect http match-all http-request match request uri regex class ext-types
HTTP is the interesting traffic
access-list http-traffic extended permit tcp any any eq www access-list http-traffic extended permit tcp any any eq 8080 class-map http-traffic-class match access-list http-traffic
The policy will be applied to this interesting traffic.
Create policy to prevent download attempt via http request
policy-map type inspect http block-http-download parameters protocol-violation action drop-connection log class http-header-response drop-connection log class http-request reset log
Apply policy on the interesting traffic
policy-map inside-http class http-traffic-class inspect http block-http-download
Apply the policy onto interface to take effect
service-policy inside-http interface inside
cyruslab 
Thanks a bunch! It is definitely an good webpage!