asa_url过滤经典手册

1、PIX/ASA URL Filtering Configuration ExampleDocument ID: 97277IntroductionPrerequisitesComponents UsedConventionsBackground InformationConfigure the ASA/PIX with the CLINetwork DiagramIdentify the Filtering ServerConfigure the Filtering PolicyAdvanced URL FilteringConfigurationConfigure the ASA/PIX w

2、ith ASDMVerifyTroubleshootNetPro Discussion Forums Featured ConversationsRelated InformationIntroductionThis document explains how to configure URL filtering on a security appliance.To filter traffic has these advantages: It can help reduce security risks and prevent inappropriate usage. It can prov

3、ide greater control over the traffic that passes through the security appliance.Note: Because URL filtering is CPUintensive, the use of an external filtering server ensures that thethroughput of other traffic is not affected. However, based on the speed of your network and the capacity ofyour URL fi

4、ltering server, the time required for the initial connection can be noticeably slower when traffic isfiltered with an external filtering server.PrerequisitesComponents UsedThe information in this document is based on these software and hardware versions: PIX 500 Series Security Appliance with versio

5、n 6.2 and later ASA 5500 Series Security Appliance with version 7.x and later Adaptive Security Device Manager (ASDM) 6.0The information in this document was created from the devices in a specific lab environment. All of thedevices used in this document started with a cleared (default) configuration

6、. If your network is live, make surethat you understand the potential impact of any command.Cisco PIX/ASA URL Filtering Configuration ExampleConventionsRefer to the Cisco Technical Tips Conventions for more information on document conventions.Background InformationYou can filter connection requests

7、that originate from a more secure network to a less secure network.Although you can use access control lists (ACLs) in order to prevent outbound access to specific contentservers, it is difficult to manage usage this way because of the size and dynamic nature of the Internet. Youcan simplify configu

8、ration and improve security appliance performance with the use of a separate server thatruns one of these Internet filtering products: Websense Enterprise filters HTTP, HTTPS, and FTP. It is supported by PIX firewall version 5.3 andlater. Secure Computing SmartFilter, formerly known as N2H2 filters

9、HTTP, HTTPS, FTP, and long URLfiltering. It is supported by PIX firewall version 6.2 and later.Compared to the use of access control lists, this reduces the administrative task and improves filteringeffectiveness. Also, because URL filtering is handled on a separate platform, the performance of the

10、PIXfirewall is much less affected. However, users can notice longer access times to websites or FTP servers whenthe filtering server is remote from the security appliance.The PIX firewall checks outbound URL requests with the policy defined on the URL filtering server. The PIXfirewall either permits

11、 or denies the connection, based on the response from the filtering server.When filtering is enabled and a request for content is directed through the security appliance, the request issent to the content server and to the filtering server at the same time. If the filtering server allows theconnecti

12、on, the security appliance forwards the response from the content server to the client that originatedthe request. If the filtering server denies the connection, the security appliance drops the response and sends amessage or return code that indicates that the connection is not successful.If user a

13、uthentication is enabled on the security appliance, the security appliance also sends the user name tothe filtering server. The filtering server can use userspecific filtering settings or provide enhanced reportswith regard to usage.Configure the ASA/PIX with the CLIIn this section, you are presente

14、d with the information to configure the features described in this document.Note: Use the Command Lookup Tool ( registered customers only) in order to obtain more information on thecommands used in this section.Network DiagramThis document uses this network setup:Cisco PIX/ASA URL Filtering Configur

15、ation ExampleIn this example, the URL filtering server is located in a DMZ network. End users located inside the networktry to access the web server located outside the network over the Internet.These steps are completed during the user request for the web server:1. The end user browses to a page on

16、 the web server, and the browser sends an HTTP request.2. After the security appliance receives this request, it forwards the request to the web server andsimultaneously extracts the URL and sends a lookup request to the URL filtering server.3. After the URL filtering server receives the lookup requ

17、est, it checks its database in order todetermine whether to permit or deny the URL. It returns a permit or deny status with a lookupresponse to the Cisco IOS® firewall.4. The security appliance receives this lookup response and performs one of these functions: If the lookup response permits the

18、 URL, it sends the HTTP response to the end user. If the lookup response denies the URL, the URL filtering server redirects the user to its owninternal web server, which displays a message that describes the category under which theURL is blocked. Thereafter, the connection is reset on both ends.Ide

19、ntify the Filtering ServerYou need to identify the address of the filtering server with the urlserver command. You must use theappropriate form of this command based on the type of filtering server you use.Note: For software version 7.x and later, you can identify up to four filtering servers for ea

20、ch context. Thesecurity appliance uses the servers in order until a server responds. You can only configure a single type ofserver, either Websense or N2H2, in your configuration.WebsenseWebsense is a thirdparty filtering software that can filter HTTP requests on the basis of these policies: destina

21、tion hostnameCisco PIX/ASA URL Filtering Configuration Example destination IP address keywords user nameThe software maintains a URL database of more than 20 million sites organized into more than 60 categoriesand subcategories. Software version 6.2:urlserver (if_name) vendor websense host local_ip

22、timeout seconds protocol TCThe urlserver command designates the server that runs the N2H2 or Websense URL filteringapplication. The limit is 16 URL servers. However, you can use only one application at a time, eitherN2H2 or Websense. Additionally, if you change your configuration on the PIX firewall

23、, it does notupdate the configuration on the application server. This must be done separately, based on theinstructions of the individual vendor. Software version 7.x and later:pix(config)# urlserver (if_name) host local_ip timeout seconds protocol TCP | UDconnections num_conns Replace if_name with

24、the name of the security appliance interface that is connected to the filtering server.The default is inside. Replace local_ip with the IP address of the filtering server. Replace seconds withthe number of seconds the security appliance must continue to try to connect to the filtering server.Use the

25、 protocol option in order to specify whether you want to use TCP or UDP. With a Websenseserver, you can also specify the version of TCP you want to use. TCP version 1 is the default. TCP version4 allows the PIX firewall to send authenticated user names and URL logging information to the Websenseserv

26、er if the PIX firewall has already authenticated the user.For example, in order to identify a single Websense filtering server, issue this command:hostname(config)#urlserver (DMZ) vendor websense host 5 protocol TCP version 4Secure Computing SmartFilter PIX version 6.2:pix(config)#urlser

27、ver (if_name) vendor n2h2 host local_ip:port number timeoutprotocol TCP | UDP Software versions 7.0 and 7.1:hostname(config)#urlserver (if_name) vendor n2h2 host local_ip:port number timeoprotocol TCP connections number | UDP connections num_conns Software version 7.2 and later:hostname(config)#urls

28、erver (if_name) vendor securecomputing | n2h2 host <local_iport <number> timeout <seconds> protocol TCP connections <number> | UDPFor the vendor securecomputing | n2h2, you can use securecomputing as avendor string. However, n2h2 is acceptable for backward compatibility. When th

29、e configurationentries are generated, securecomputing is saved as the vendor string.Cisco PIX/ASA URL Filtering Configuration ExampleReplace if_name with the name of the security appliance interface that is connected to the filtering server.The default is inside. Replace local_ip with the IP address

30、 of the filtering server and port <number>with the desired port number.Note: The default port used by the Secure Computing SmartFilter server to communicate with the securityappliance with TCP or UDP is port 4005.Replace seconds with the number of seconds the security appliance must continue t

31、o try to connect to thefiltering server. Use the protocol option in order to specify whether you want to use TCP or UDP.The connections <number> is the number of times to attempt to make a connection between the hostand server.For example, in order to identify a single N2H2 filtering server, i

32、ssue this command:hostname(config)#urlserver (DMZ) vendor n2h2 host 5 port 4444 timeout 45 proto tcp connections 10Or, if you want to use default values, issue this command:hostname(config)#urlserver (DMZ) vendor n2h2 host 5Configure the Filtering PolicyNote: You must identif

33、y and enable the URL filtering server before you enable URL filtering.Enable URL FilteringWhen the filtering server approves an HTTP connection request, the security appliance allows the reply fromthe web server to reach the client that originated the request. If the filtering server denies the requ

34、est, thesecurity appliance redirects the user to a block page that indicates that access is denied.Issue the filter url command in order to configure the policy used to filter URLs: PIX version 6.2:filter url http | portport local_ip local_mask foreign_ip foreign_mask allowlongurltruncate | longurld

35、eny cgitruncate Software version 7.x and later:filter url http | portport local_ip local_mask foreign_ip foreign_mask allowlongurltruncate | longurldeny cgitruncateReplace port with the port number on which to filter HTTP traffic if a different port than the default port forHTTP (80) is used. In ord

36、er to identify a range of port numbers, enter the start and end of the range separatedby a hyphen.With filtering enabled, the security appliance stops outbound HTTP traffic until a filtering server permits theconnection. If the primary filtering server does not respond, the security appliance direct

37、s the filtering requestto the secondary filtering server. The allow option causes the security appliance to forward HTTP trafficwithout filtering when the primary filtering server is unavailable.Cisco PIX/ASA URL Filtering Configuration ExampleIssue the proxyblock command in order to drop all reques

38、ts to proxy servers.Note: The remainder of the parameters are used in order to truncate long URLs.Truncate Long HTTP URLsThe longurltruncate option causes the security appliance to send only the host name or IP addressportion of the URL for evaluation to the filtering server when the URL is longer t

39、han the maximum lengthpermitted.Use the longurldeny option in order to deny outbound URL traffic if the URL is longer than themaximum permitted.Use the cgitruncate option in order to truncate CGI URLs to include only the CGI script location andthe script name without any parameters.This is a general

40、 filter configuration example:hostname(config)#filter url http 9 55 allproxyblock longurltruncate cgitruncateExempt Traffic from FilteringIf you want to make an exception to the general filtering policy, issue this command:filter url except local_ip

41、local_mask foreign_ip foreign_maskReplace local_ip and local_mask with the IP address and subnet mask of a user or subnetwork that youwant to exempt from filtering restrictions.Replace foreign_ip and foreign_mask with the IP address and subnet mask of a server or subnetworkthat you want to exempt fr

42、om filtering restrictions.For example, this command causes all HTTP requests to 9, from the inside hosts, to be forwardedto the filtering server except for requests from host :This is a configuration example for an exception:hostname(config)#filter url except 255.25

43、5.255.255 9 55Advanced URL FilteringThis section provides information about advanced filtering parameters, which includes these topics: buffering caching long URL supportBuffer The Web Server ResponsesWhen a user issues a request to connect to a content server, the security a

44、ppliance sends the request to thecontent server and to the filtering server at the same time. If the filtering server does not respond before thecontent server, the server response is dropped. This delays the web server response from the point of view ofCisco PIX/ASA URL Filtering Configuration Exam

45、plethe web client because the client must reissue the request.If you enable the HTTP response buffer, replies from web content servers are buffered and the responses areforwarded to the client that makes the request if the filtering server allows the connection. This prevents thedelay that can other

46、wise occur.In order to buffer responses to HTTP requests, complete these steps:1. In order to enable buffering of responses for HTTP requests that are pending a response from thefiltering server, issue this command:hostname(config)#urlblock block blockbufferlimitReplace blockbufferlimit with the max

47、imum number of blocks to be buffered.2. In order to configure the maximum memory available to buffer pending URLs, and to buffer longURLs with Websense, issue this command:hostname(config)#urlblock urlmempool memorypoolsizeReplace memorypoolsize with a value from 2 to 10240 for a maximum memory allo

48、cation of 2KB to 10 MB.Cache Server AddressesAfter a user accesses a site, the filtering server can allow the security appliance to cache the server address fora certain amount of time, as long as every site hosted at the address is in a category that is permitted at alltimes. Then, when the user ac

49、cesses the server again, or if another user accesses the server, the securityappliance does not need to consult the filtering server again.Issue the urlcache command if needed to improve throughput:hostname(config)#urlcache dst | src_dst sizeReplace size with a value for the cache size within the ra

50、nge 1 to 128 (KB).Use the dst keyword in order to cache entries based on the URL destination address. Select this mode if allusers share the same URL filtering policy on the Websense server.Use the src_dst keyword in order to cache entries based on both the source address that initiates the URLreque

51、st as well as the URL destination address. Select this mode if users do not share the same URL filteringpolicy on the Websense server.Enable Filtering of Long URLsBy default, the security appliance considers an HTTP URL to be a long URL if it is greater than 1159characters. You can increase the maxi

52、mum length allowed for a single URL with this command:hostname(config)#urlblock urlsize longurlsizeReplace longurlsize with the maximum size in KB for each long URL to be buffered.For example, these commands configure the security appliance for advanced URL filtering:Cisco PIX/ASA URL Filtering Conf

53、iguration Examplehostname(config)#urlblock block 10hostname(config)#urlblock urlmempool 2hostname(config)#urlcache dst 100hostname(config)#urlblock urlsize 2ConfigurationThis configuration includes the commands described in this document:ASA 8.0 Configurationciscoasa#show runningconfig: Saved:ASA Ve

54、rsion 8.0(2)!hostname ciscoasadomainname Senable password 2kxsYuz/BehvglCF encryptedno namesdnsguard!interface GigabitEthernet0/0speed 100duplex fullnameif outsidesecuritylevel 0ip address 22 !interface GigabitEthernet0/1description INSIDEnameif insidesecuritylevel 100ip addr

55、ess 1 !interface GigabitEthernet0/2description LAN/STATE Failover Interfaceshutdown!interface GigabitEthernet0/3description DMZnameif DMZsecuritylevel 50ip address !interface Management0/0no nameifno securitylevelno ip address!passwd 2KFQnbNIdI.2KYOU

56、 encryptedboot system disk0:/asa802k8.binftp mode passiveclock timezone CST 6clock summertime CDT recurringdns servergroup DefaultDNSdomainname Ssamesecuritytraffic permit intrainterfacepager lines 20logging enableCisco PIX/ASA URL Filtering Configuration Examplelogging buffersize 40000logging asdmb

57、uffersize 200logging monitor debugginglogging buffered informationallogging trap warningslogging asdm informationallogging mail debugginglogging fromaddress aaamtu outside 1500mtu inside 1500mtu DMZ 1500no failoverfailover lan unit primaryfailover lan interface interface GigabitEthernet0/2failover link interface GigabitEthernet0/2no monitorinterface outsideicmp unreachable ratelimit 1 burstsize 1asdm image disk0:/asdm602.binasdm history enablearp t