ASA5505: Allow web surfing but disallow download with websense

I realized I have under utilized my ASA5505 at home, I actually ignored the fact that it can do layer7 inspection as well. I bumped into a post in Cisco support forum where a user requested “step-by-step configuration” to block user to download from the web. I had never done it before, so I searched for solution from the web and eventually replied him (perhaps he had already found the solution, which was great if he did.).

There are many configuration guides that showed user how to access the internet right away with their ASA but very few (there are some nice posts) posts showed how blocking and URL filtering is done. I did a research a found a Cisco documentation which guides user through the process, of course the rest is up to user’s ability to apply the configuration in all types of url filtering requirement.

ASA has great built-in help
Some of you may not know this but I believe many of you do, that is Cisco ASA provides help with configuration examples and detailed documentation which is the same as the Linux MAN pages. Here’s an example:

cyruslab(config)# help regex


        [no] regex <regex_name> <regex_pattern>
        clear configure regex
        show running-config [all] regex


regex    Configure a regular expression


<regex_name>    Name for the regular expression;
                up to 40 characters.

<regex_pattern> A string defining a regular expression
                up to 100 characters.  Spaces are allowed
                if the regular expression is enclosed with '"'.
                A regular expression consists of alphanumeric
                characters and meta-characters.  The following table
                shows the definition of the meta characters:

                ?       Question mark              Repeat 0 or 1 times
                *       Asterisk                   Repeat 0 or more times
                +       Plus                       Repeat 1 or more times
                {x}     Repeat quantifier          Repeat exactly x times
                {x,}    Minimum repeat quantifier  Repeat at least x times
                .       Dot                        Any one character
                [abc]   Character class            Any character listed
                [^abc]  Negated character class    Any character NOT listed
                [a-z]   Character range class      Any character listed
                                                   inclusively in range
                |       Alternation                Matches either expression
                                                   it separates
                ^       Caret                      Beginning of line
                \       Escaped character          When char is a meta-
                                                   character, matches
                                                   the literal character
                char    Character                  When char is not a meta-
                                                   character, matches the
                                                   literal char
                \r      Carriage Return            Matches CR (0x0D)
                \n      Newline                    Matches NL (0x0A)
                \t      Tab                        Matches tab (0x09)
                \f      Formfeed                   matches formfeed (0x0C)
                \xNN    Escaped hex character      Matches character with
                                                   hexadecimal code 0xNN
                \NNN    Escaped octal character    Matches character with
                                                   octal code NNN  (0<=N<=7)
                (expr)  Expression class           An expression itself
                                                   which can be repeated

ALSO SEE:       test


This help is the same as the Cisco guide, you can use help command to understand how commands are used anytime, and it is not shameful to use it 🙂

Security policy requirements
Your customer requests that inside hosts should only surf the web and should not download contents with extensions: zip, 7z, tgz, tar (tar.gz, tar.bz2), pdf, exe, vbs, vba, doc, xls, ppt, odt.

Classify the types of extensions
You decided to classify these extensions into meaningful extension names for consistency and readability.

archive-type: zip, tgz, tar, 7z
doc-type: doc, xls, ppt, pdf, odt
exe-type: exe, vbs, vba

Create regex for each type

regex archive-type1 ".*\.([Zz][Ii][Pp]|[Tt][Aa][Rr]|[Tt][Gg][Zz]) HTTP/1.[01]"
regex archive-type2 ".*\.([Tt][Aa][Rr].([Gg][Zz]|[Bb][Zz]2)|7[Zz]) HTTP/1.[01]"
regex doc-type1 ".*\.([Dd][Oo][Cc]|[Xx][Ll][Ss]|([Pp]){2}[Tt]) HTTP/1.[01]"
regex doc-type2 ".*\.([Pp][Dd][Ff]|[Oo][Dd][Tt]) HTTP/1.[01]"
regex exe-type1 ".*\.([Ee][Xx][Ee]|[Vv][Bb][Ss]|[Vv][Bb][Aa]) HTTP/1.[01]"

Create regex for Content-Type Application/*
Refer to this link for Content-Type.

regex application-header "application/*"
regex content-type "Content-Type"

Classify regex that matches the extension types

class-map type regex match-any ext-types
 match regex doc-type1
 match regex doc-type2
 match regex archive-type2
 match regex archive-type1
 match regex exe-type1

Capture the http response that contains content-type and application/* header

class-map type inspect http match-all http-header-response
 match response header regex content-type regex application-header

Capture http request packet that matches the class ext-types

class-map type inspect http match-all http-request
 match request uri regex class ext-types

HTTP is the interesting traffic

access-list http-traffic extended permit tcp any any eq www
access-list http-traffic extended permit tcp any any eq 8080
class-map http-traffic-class
 match access-list http-traffic

The policy will be applied to this interesting traffic.

Create policy to prevent download attempt via http request

policy-map type inspect http block-http-download
  protocol-violation action drop-connection log
 class http-header-response
  drop-connection log
 class http-request
  reset log

Apply policy on the interesting traffic

policy-map inside-http
 class http-traffic-class
  inspect http block-http-download

Apply the policy onto interface to take effect

service-policy inside-http interface inside
This entry was posted in ASA/PIX, Security and tagged , , , , , , . Bookmark the permalink.

One Response to ASA5505: Allow web surfing but disallow download with websense

  1. Homepage says:

    Thanks a bunch! It is definitely an good webpage!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s