Using the ASA to filter URLs

! ACLs will identify the protocol and port of the packets your filter will be checking
! This example is to block domains so www and https packets will be checked
!
access-list BLOCK_HTTPDOMAINS remark Defines packets to be checked in filter
access-list BLOCK_HTTPDOMAINS extended permit tcp any any eq www
access-list BLOCK_HTTPDOMAINS extended permit tcp any any eq https
!
! Individual named regex entries will define each separate domain to be filtered
!
regex DOMAIN01 "\.facebook\.com"
regex DOMAIN02 "\.myspace\.com"
regex DOMAIN03 "\.twitter\.com"
!
! Assign the ACL packet definition to a class map
!
class-map BLOCKHTTP_CLASS
  match access-list BLOCK_HTTPDOMAINS
!
! Define a class map to contain regex entries, with match any
!
class-map type regex match-any DOMAINBLOCK_LIST
  match regex DOMAIN01
  match regex DOMAIN02
  match regex DOMAIN03
!
! New class map with nested regex class map that defines the type 'inspect'
!
class-map type inspect http match-all DOMAINBLOCK_CLASS
  match request header host regex class DOMAINBLOCK_LIST
!
policy-map type inspect http HTTP_INSPECT_POLICY
  match request method connect
    drop-connection log
  class DOMAINBLOCK_CLASS
    reset log
!
! Nested policy maps
!
policy-map INSIDE_POLICY
  class BLOCKHTTP_CLASS
    inspect http HTTP_INSPECT_POLICY
!
! Apply to either the global policy or a specific inside policy (this example)
!
service-policy INSIDE_POLICY interface INSIDE
!

Changing ISPs aka Remote Move of ASA

You have a remote site that is changing ISPs perhaps it has grown and needs a bigger pipe or perhaps you are just saving money by changing carriers. Regardless of the reason there is an ASA present at that site and your users are not IT. The users can however move the Ethernet cable from provider one to provider two but you have to make changes to the ASA. The ASA however is going to need three changes in order to function with the new provider:

1. New IP Address / Subnet Mask on the outside interface
2. Removal of old default route
3. Addition of new default route

Faced with this challenge I figured certainly I am not the first person with remote ASAs that need to work on a new network. Hi ho hi ho off a googling I go, found nothing, so went to wikipedia, netpro, cisco wikipedia (huge disappointment) and even spoke with some fellow engineers. Had some ideas but none of them worked, at last forced with no choice I turned to the TAC.

Bad news, there is no way to accomplish this change without being on the inside of the ASA, so sayeth the TAC!

Dear Mr. Chambers can you turn a battalion of your programmers to this task? Want to know how important it is? Come lets talk someone through the above three steps….. Thank you John! I can call you John can’t I?

I am Not Unimportant Enough to have a Blog!

About ten years ago, someone told me about these cell phone thingamagies people were starting to carry around. They seemed like a neat idea. One day a friend asked me when I was going to get one. “I’m not important enough for a cell phone,” I answered. Who did I need to talk to on a moment’s notice? What was I doing that was so important that it couldn’t wait for me to get to a land line? Nothing.

But now I have an iphone! At some point, cell phones became ubiquitous, a virtual necessity for daily life. I am no more important now than I was ten years ago, so I can only conclude that cell phones have become less important to match me. For all of that, I sometimes wonder how I once lived without mine.
But after a bit more thought it occurred to me: so many people are blogging these days, it has become a near-omnipresent social phenomenon. It has become unimportant, and I am just unimportant enough to be a part of it, with that said

I created this blog to help share the various special tricks, secrets, undocumented (or poorly documented), features of the Cisco ASA. This is what I will primarily be posting about but since its my blog there might be the occasional political observation and joke shared, sometimes they will be one in the same!