Anda di halaman 1dari 6

ASA chn truy cp Web (Advanced Inspection HTTP)

Bi Nguyn Hong Long


VnPro
Dng ASA chn truy cp Web (Advanced Inspection HTTP)


I. M t:
Thc hin inspect http vi yu cu: khng cho php truy cp vo nhng trang web: nhacso.net,
nghenhac.info, mp3.zing.vn, nhac.vui.vn

Thc hin inspect icmp cho php nhn icmp echo reply tr v m khng cn cu hnh ACL

II. Cu hnh
ASA(config)# no nat-control

To gi tr regex:
ASA(config)# regex URL_1 "nhacso\.net"
ASA(config)# regex URL_2 "nghenhac\.info"
ASA(config)# regex URL_3 "mp3\.zing\.vn"
ASA(config)# regex URL_4 "nhac\.vui\.vn"

Kim tra regex nh ngha hp l
ASA(config)# test regex www.nhacso.net "nhacso\.net"
INFO: Regular expression match succeeded.

Cu hnh class-map kt hp nhng regex vo cng lp
ASA(config)# class-map type regex match-any URL
ASA(config-cmap)# match regex URL_1
ASA(config-cmap)# match regex URL_2
ASA(config-cmap)# match regex URL_3
ASA(config-cmap)# match regex URL_4

nh ngha class-type inspect cho http (class-map lp 7)
ASA(config)# class-map type inspect http HTTP

Thc hin iu kin match
ASA(config-cmap)# match request header host regex class URL

nh ngha policy-map type inspect cho http (policy-map lp 7)
ASA(config)# policy-map type inspect http HTTP
ASA(config-pmap)# class HTTP

Xc nh hnh ng khi iu kin so khp
ASA(config-pmap-c)# reset log

nh ngha class-map lp 3&4
ASA(config)# class-map HTTP_TRAFFIC
ASA(config-cmap)# match port tcp eq 80

nh ngha policy-map lp 3&4
ASA(config)# policy-map HTTP_POLICY
ASA(config-pmap)# class HTTP_TRAFFIC

Kt hp policy-map lp 7 vo
ASA(config-pmap-c)# inspect http HTTP

Gn policy-map lp 3&4 ln cng inside
ASA(config)# service-policy HTTP_POLICY interface inside

Thc hin inspect icmp, gim st trng thi ca icmp cho php echo reply tr v m khng cn ACL
ASA(config)# policy-map global_policy
Thc hin inspect trong class inspection_default
ASA(config-pmap)# class inspection_default
ASA(config-pmap-c)# inspect icmp

III. Cu hnh y

GATEWAY
!
hostname GATEWAY
!
!
interface FastEthernet0/0
ip address 192.168.2.2 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address dhcp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
ip route 192.168.1.0 255.255.255.0 192.168.2.1
!
ip http server
no ip http secure-server
ip nat inside source list 1 interface FastEthernet0/1 overload
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255
!

ASA
!
hostname ASA
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/1
nameif outside
security-level 0
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
regex URL_1 "nhacso\.net"
regex URL_2 "nghenhac\.info"
regex URL_3 "mp3\.zing\.vn"
regex URL_4 "nhac\.vui\.vn"
ftp mode passive
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 192.168.2.2 1
timeout xlate 3:00:00
!
class-map HTTP_TRAFFIC
match port tcp eq www
class-map type regex match-any URL
match regex URL_1
match regex URL_2
match regex URL_3
match regex URL_4
class-map type inspect http match-all HTTP
match request header host regex class URL
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map type inspect http HTTP
parameters
class HTTP
reset log
policy-map HTTP_POLICY
class HTTP_TRAFFIC
inspect http HTTP
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
service-policy HTTP_POLICY interface inside
prompt hostname context
Cryptochecksum:5c95986550b4487314e418bb01c2f180
: end

IV. Kim tra
m bo tnh nng logging c kch hot cho php hin th log

ASA(config)# logging on
ASA(config)# logging console notifications

Thc hin truy cp web vi nhng URL c ng ngha trong regex



%ASA-5-415008:HTTP - matched Class 22: HTTP in policy-map HTTP, header matched - Resetting
connection from inside:192.168.1.2/1193 to outside: 123.30.51.29/80
%ASA-5-304001: 192.168.1.2 Accessed URL 123.30.51.29:/



%ASA-5-415008: HTTP - matched Class 22: HTTP in policy-map HTTP, header matched - Resetting
connection from inside:192.168.1.2/1199 to outside: 222.255.122.16/80
%ASA-5-304001: 192.168.1.2 Accessed URL 222.255.122.16:/

Tt c cc kt ni s b reset, vic truy cp khng thnh cng. Tuy nhin nhng URL khng nng trong
phn regex s vn truy cp bnh thng



Nhn echo-reply m khng ACL




ASA(config)# sh conn
1 in use, 17 most used
ICMP out 69.89.22.108:0 in 192.168.1.2:1024 idle 0:00:00 bytes 32



ASA(config)# sh service-policy interface inside inspect http

Interface inside:
Service-policy: HTTP_POLICY
Class-map: HTTP_TRAFFIC
Inspect: http HTTP, packet 479, drop 7, reset-drop 7
protocol violations
packet 0
class HTTP
reset log, packet 7