Block Access to Facebook on Cisco ASA with MPF

KB ID 0000054

Problem

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the best solution.

NOTE: This can be used for any web site simply add each URL you want to block.

Solution

1. Log into your firewal,l and enter enable mode, then enter configure terminal mode.

[box]

User Access Verification

password: *******
Type help or '?' for a list of available commands. 
PetesASA> enable
Password: ******** 
PetesASA# conf t 
PetesASA(config)#

[/box]

2. The first thing we are going to do is write a “Regular Expression” that matches Facebook, (Repeat the line adding domainlist2, 3 etc for each additional domain you require to block.)

[box]

PetesASA(config)#
PetesASA(config)# regex domainlist1 "facebook.com"
PetesASA(config)#

[/box]

3. Now we are going to create a “Class-map” which will include our regular expression. (Note: for additional you would simply add multiple match commands.)

[box]

PetesASA(config)#
PetesASA(config)# class-map type regex match-any DomainBlockList
PetesASA(config-cmap)# match regex domainlist1
PetesASA(config-camp)#

[/box]

4. We are now going to create a second class map, this one is for http inspection, and uses the first class map we created, it basically says, this class map is for http inspection and will inspect for what we declared in the first class map (i.e. Inspect http traffic for any instance of facebook.com).

< p>[box]

PetesASA(config)#
PetesASA(config)# class-map type inspect http match-all BlockDomainsClass
PetesASA(config-cmap)# match request header host regex class DomainBlockList
PetesASA(config-camp)#

[/box]

5. Now to apply these class-maps we need to use a policy, the rule for policies is, you can have tons of policies but you can only apply one global policy, AND you can also have a policy for each interface, So here Ill create a policy for http inspection and use the classes we created above….

[box]

PetesASA(config)#
PetesASA(config)# policy-map type inspect http http_inspection_policy
PetesASA(config-pmap)# class BlockDomainsClass
PetesASA(config-pmap-c)# reset log
PetesASA(config-pmap-c)#

[/box]

6. Then to knit everything together, I’m going to embed this policy in my firewalls global policy.

[box]

PetesASA(config)#
PetesASA(config)# policy-map global_policy
PetesASA(config-pmap)# class inspection_default
PetesASA(config-pmap-c)# inspect http http_inspection_policy
PetesASA(config-pmap-c)#

[/box]

7. Note: Above I’ve assumed you have the default global policy, If you haven’t, this will not apply until you have applied the global_policy globally, this is done with a service-policy command, check to see if you already have this command in your config, or simply execute the command and the firewall and will tell you, like so….

Note: If it does not error then it was NOT applied 🙂

[box]

PetesASA(config)#
PetesASA(config)# service-policy global_policy global
WARNING: Policy map global_policy is already configured as a service policy
PetesASA(config)#

[/box]

8. Don’t forget the save the config with a “write mem” command.

If you want to have this on a policy of its own, applied to an interface rather than on the Global Policy here is some working code to copy and paste (Credit to Aniket Rodrigues).

[box]

regex BLOCKED_DOMAIN_1 "www.facbook.com"
access-list TRAFFIC_TO_INSPECT_FOR_BLOCKED_DOMAINS extended permit tcp any any eq http
class-map type regex match-any CLASS_MAP_BLOCKED_DOMAIN_LIST
match regex BLOCKED_DOMAIN_1
class-map type inspect http match-all CLASS_MAP_DEFINE_TRAFFIC_TO_INSPECT
match request header host regex class CLASS_MAP_BLOCKED_DOMAIN_LIST
class-map CLASS_MAP_HTTP_TRAFFIC
match access-list TRAFFIC_TO_INSPECT_FOR_BLOCKED_DOMAINS
policy-map type inspect http POLICY_MAP_HTTP_INSPECTION
parameters
class CLASS_MAP_DEFINE_TRAFFIC_TO_INSPECT
drop-connection log
policy-map POLICY_MAP_OUTSIDE_INTERFACE
class CLASS_MAP_HTTP_TRAFFIC
inspect http POLICY_MAP_HTTP_INSPECTION
service-policy POLICY_MAP_OUTSIDE_INTERFACE interface outside

[/box]

Related Articles, References, Credits, or External Links

NA

Enabling NetFlow on Cisco ASA

KB ID 0000055

Problem

Cisco NetFlow lets you export information about traffic flow, it was originally written for the router IOS, but is now available for Cisco ASA, which uses NSEL (Note ASA uses NetFlow version 9 {newest at time of writing})

Note: NetFlow can not give you “Live” data, but it can show you what has happened over a period of time, and remember like any other “Logging” this will have an adverse affect on the firewall (depending on how busy it is).

Setting this up is a two step process, the firewall is configured as the NetFlow “Exporter”, then you install an application that accepts and collates that information, that is the NetFlow “Collector”.

Solution

1. Log into your firewall via CLI and enter enable mode, then enter configure terminal mode.

[box]

User Access Verification
Password:********
Type help or '?' for a list of available commands.
PetesASA> enable
Password: ********
PetesASA# conf t
PetesASA(config)#

[/box]

1. We haven’t set one up yet, but we need to let the firewall know the IP address that the NetFlow “Collector” will be running on, in this case I’m going to use 10.254.254.253. (Note: the port number on the end is unimportant).

[box]

PetesASA(config)#
PetesASA(config)# flow-export destination inside 10.254.254.234 2055
PetesASA(config)#

[/box]

2. The next command aggregates multiple events into separate NSELs on a 15 second interval.

[box]

PetesASA(config)#
PetesASA(config)# flow-export delay flow-create 15
PetesASA(config)#

[/box]

3. Now we are going to set the refresh rate at which the templates are sent, if you do not do this it will default to 30 minutes.

[box]

PetesASA(config)#
PetesASA(config)# flow-export template timeout-rate 1
PetesASA(config)#

[/box]

4. I’m going to apply this with the default global-policy, because most of you will have one, (Though I notice every 8.2(1) 5505 I’ve put in recently does NOT have one so check).

[box]

PetesASA(config)# policy-map global_policy
PetesASA(config-pmap)# class class-default
PetesASA(config-pmap-c)# flow-export event-type all destination 10.254.254.234
PetesASA(config-pmap-c)# exit

[/box]

6. If you haven’t got a global policy, this will not apply until you have applied the global_policy globally, this is done with a service-policy command, check to see if you already have this command in your config, or simply execute the command and the firewall and will tell you, like so….

Note: If it does not error then it was NOT applied 🙂

[box]

PetesASA(config)#
PetesASA(config)# service-policy global_policy global
WARNING: Policy map global_policy is already configured as a service policy
PetesASA(config)#

[/box]

7. Don’t forget the save the config with a “write mem” command.

8. Now go to the machine you want to install your NetFlow collector software on, I prefer Plixer Scrutinizer because its free and its easy to set up. Connect to it via the built in web site (username admin password admin) > Click Status > Expand Ungrouped > Expand the firewall > Flow templates > Pick one.

9. There’s your throughput 🙂

Related Articles, References, Credits, or External Links

NA

Cisco ASA 5500 Allowing Tracert

KB ID 0000753

Problem

I’d always assumed that as Tracert uses ICMP, and that simply adding ICMP inspection on the ASA would let Tracert commands work. A client of mine is having some comms problems and wanted to test comms from his remote DR site, he had enabled time-exceeded and unreachable on the ASA (for inbound traffic) and that had worked. I checked the default inspection map and found inspect ICMP was there?

As it turns out Tracert does NOT NEED ICMP inspection, though there are a few tweaks you need to do to make it run correctly.

Solution

1. From a Windows client if I try and Tracert to an external IP address, this is what I would see.

2. My first task is to get the ASA itself to reply to me, unlike most network devices the ASA does not decrease the ‘hop count’ as traffic passes through it, to rectify this we need to make a small change to the global inspection policy like so;

[box]

Sent username "pix"
Type help or '?' for a list of available commands.
Petes-ASA>
Petes-ASA> enable
Password: *******
Petes-ASA# configure terminal
Petes-ASA(config)# policy-map global_policy
Petes-ASA(config-pmap)# class class-default
Petes-ASA(config-pmap-c)# set connection decrement-ttl
Petes-ASA(config-pmap-c)# exit
Petes-ASA(config-pmap)# exit
Petes-ASA(config)#

[/box]

3. Now when we re-run our Tracert we see the ASA now responds, nothing else does though, to rectify that we need to allow IN some ICMP traffic.

4. Before you can add an ACL you need to see if you already have one. We are applying an ACL to the outside interface for traffic going in (I call this inbound for obvious reasons). To see if you already have an ACL applied, issue the following command;

[box]

Petes-ASA# show run access-group
 access-group inbound in interface outside
 access-group outbound in interface inside

[/box]

Note: In the example above we have an ACL called inbound that we MUST use. (If you added a new one, all the access list entries for the old one get ‘Un-applied’). If yours has a different name (e.g. outside_access_in then use that instead of the ACL name I’m using here). If you DONT have an access-group entry for inbound traffic then we will do that at the end!

5. At this point you should know if you have an ACL, mines called inbound so I need to add two lines to it like so;

[box]

Petes-ASA(config)# access-list inbound extended permit icmp any any time-exceeded
 Petes-ASA(config)# access-list inbound extended permit icmp any any unreachable

[/box]

Then: Only carry out the following command if you DO NOT HAVE an ACL applied for incoming traffic.

[box]

Petes-ASA(config)# access-group inbound in interface outside

[/box]

6. Try your Tracert again.

7. Don’t forget to save the changes on the ASA.

[box]

 

Petes-ASA(config)# write mem
Building configuration…
Cryptochecksum: b984ffbc dd77cdbf f2cd8d86 0b8f3f96

3965 bytes copied in 1.490 secs (3965 bytes/sec)
[OK]

[/box]

Related Articles, References, Credits, or External Links

Cisco Firewalls and PING