允许192.168.0.0/ 24访问域名为www.out.com站点。不能访问域名为www.kkgame.com站点
ASA# sh run
: Saved
:
ASA Version 8.0(2)
!
hostname ASA
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/1
nameif dmz
security-level 50
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet0/2
nameif outside
security-level 0
ip address 100.0.0.2 255.255.255.252
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/5
shutdown
no nameif
no security-level
no ip address
!
passwd 2745OAJS2l2oSQqc encrypted
regex urll "\.out\.com"
ftp mode passive
access-list 10 standard permit any
access-list dmz-to-inside extended permit tcp any host 192.168.1.2 eq www
access-list out-to-in extended permit tcp any host 192.168.1.2 eq www
access-list tcp-in extended permit tcp 192.168.0.0 255.255.255.0 any eq www
access-list out-to-dmz extended permit tcp any host 192.168.2.2 eq www
access-list dmz-to-out extended permit tcp any host 100.0.0.1 eq www
pager lines 24
mtu inside 1500
mtu outside 1500
mtu dmz 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
access-group out-to-dmz in interface outside
access-group dmz-to-out in interface dmz
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
class-map type regex match-any urll-out
match regex urll
class-map tcp-inside
match access-list tcp-in
class-map type inspect http match-all http-urll-out
match not request header host regex class urll-out
!
!
policy-map type inspect http http-url-out
parameters
class http-urll-out
drop-connection log
policy-map inside-http-url-out
class tcp-inside
inspect http http-url-out
!
service-policy inside-http-url-out interface inside
prompt hostname context
Cryptochecksum:b8f570c38a4cd2ded04312c6fcf89010
: end
具体配置:
ga设置指定主机只能访问后缀为.out.com网站,拒绝访问其它网站
access-list tcp-filter permit tcp 192.168.0.0 255.255.255.240 any eq www
class-map tcp-filter-class
match access-list tcp-filter
exit
regex urll "\.out\.com"
class-map type regex match-any url-class
match regex urll
exit
class-map type inspect http http-url-class
match not request header host regex class url-class
exit
policy-map type inspect http http-url-policy
class http-url-class
drop-connection log
exit
exit
policy-map inside-http-url-policy
class tcp-filter-class
inspect http http-url-policy
exit
exit
service-policy inside-http-url-policy interface inside
验证结果,客户端在上述指定网段只能访问www.out.com,不能访问www.kkgame.com
若客户端不在上述网段,两个网站都可以访问
设置禁止所有主机访问www.kkgame.com网站
access-list tcp-filter2 permit tcp any any eq www
class-map tcp-filter-class2
match access-list tcp-filter2
exit
regex url2 "\.kkgame\.com"
class-map type regex match-any url-class2
match regex url2
exit
class-map type inspect http http-url-class2
match not request header host regex class url-class2
exit
policy-map type inspect http http-url-policy2
class http-url-class2
drop-connection log
exit
exit
policy-map inside-http-url-policy
class tcp-filter-class2
inspect http http-url-policy2
exit
exit
service-policy inside-http-url-policy interface inside
clear configure service-policy
clear configure policy-map
clear configure class-map
clear configure regex
clear configure access-list
