Cisco – https url filtering on Cisco ASA 5520

ciscocisco-asacisco-iosfirewall

I'm aware that you can use the ASA's URL filtering to filter URLs being accessed with regular expressions, but I'm curious if there is a way to filter which URLs can be accessed from the Internet to an internal webserver if the traffic is encrypted.

We will want to be able to limit connections to our WepSphere server to specific URL requests. ie: www.websphereyl.com/lawson/myfile and not www.websphereyl.com/lawson/yourfiles etc…

An example scenario would be someone hits our websphere server from the Internet, which has NAT/PAT setup on the ASA to allow it access via TCP port 443. Could we restrict the URLs that can be accessed with the ASA? I'm thinking that URL filtering will not work because it's SSL traffic, but wanted to see what you guys thought.

Best Answer

You are correct, if all the ASA sees is an HTTPS request, then the TCP payload is encrypted, which prevents the ASA's URL filtering (or any other TCP payload inspection).

Typically, url filtering is done by an http reverse-proxy or load-balancer (like Cisco's ACE/CSM, F5 LTM, or Citrix Netscaler to name a few). The devices I mentioned can also offload SSL encryption from your web server pool as well.

Offloading SSL before you perform payload scrubbing / inspection has some significant advantages. By off-loading your encryption at a load-balancer, the IDS / IPS / Firewall can also see the raw HTTP traffic, which means it can spot application-layer attacks and it generally gives you better protection, if that's a priority.

Related Solutions

Cisco ASA – Configuring Spoke-to-Spoke with NAT 9.1

This is a really old post, and that's a complex set of requirements. But I'll try to answer this question for anyone else who may be looking to do a similar thing.

First, a diagram:

Now, some notes:

I did not actually test this in a lab, but it should work in real life.
I chose not to do the VPN1<->VPN2 NAT on the HQ, although you can using nat (outside,ouside) .... In order to keep the HQ config more simple, I have the spokes do their own NAT towards each other.
Because of the PAT on VPN2, no traffic will be able to enter VPN2 unless it originated from there. I assume that's what you wanted. If not, just create a twice NAT (a.k.a., A manual NAT) higher up in the order to do something different, instead.

Now, the code:

!! VPN1
access-list crypto_vpn1_acl permit ip 10.5.0.0 255.255.255.0 10.4.0.0 255.255.255.0
access-list crypto_vpn1_acl permit ip 192.168.200.0 255.255.255.0 192.168.1.0 255.255.255.0
object network obj_192.168.1.0_24
 subnet 192.168.1.0 255.255.255.0
object network obj_192.168.200.0_24
 subnet 192.168.200.0 255.255.255.0
object network obj_10.4.0.0_24
 subnet 10.4.0.0 255.255.255.0
object network obj_10.5.0.0_24
 subnet 10.5.0.0 255.255.255.0
nat (inside,outside) source static obj_10.5.0.0_24 obj_10.5.0.0_24 dest static obj_10.4.0.0_24 obj_10.4.0.0_24
nat (inside,outside) source static obj_10.5.0.0_24 obj_192.168.200.0 dest static obj_192.168.1.0_24 obj_192.168.1.0_24
route outside 10.4.0.0 255.255.255.0 x.x.x.x
route outside 192.168.1.0 255.255.255.0 x.x.x.x

!! HQ
same-security-traffic permit intra-interface
access-list crypto_vpn1_acl permit ip 10.4.0.0 255.255.255.0 10.5.0.0 255.255.255.0
access-list crypto_vpn1_acl permit ip 192.168.1.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list crypto_vpn2_acl permit ip 10.4.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list crypto_vpn2_acl permit ip 192.168.200.0 255.255.255.0 192.168.1.0 255.255.255.0
object network obj_10.4.0.0_24
 subnet 10.4.0.0 255.255.255.0
object network obj_10.5.0.0_24
 subnet 10.5.0.0 255.255.255.0
object network obj_192.168.1.0_24
 subnet 192.168.1.0 255.255.255.0
nat (inside,outside) source static obj_10.4.0.0_24 obj_10.4.0.0_24 dest static obj_10.5.0.0_24 obj_10.5.0.0_24
nat (inside,outside) source static obj_10.4.0.0_24 obj_10.4.0.0_24 dest static obj_192.168.1.0_24 obj_192.168.1.0_24
route outside 10.5.0.0 255.255.255.0 x.x.x.x
route outside 192.168.1.0 255.255.255.0 x.x.x.x

!! VPN2
access-list crypto_vpn2_acl permit ip 192.168.1.0 255.255.255.0 10.4.0.0 255.255.255.0
access-list crypto_vpn2_acl permit ip 192.168.1.0 255.255.255.0 192.168.200.0 255.255.255.0
object network obj_10.5.0.0_24
 subnet 10.5.0.0 255.255.255.0
object network obj_pat_address
 host 192.168.1.1
object network obj_10.4.0.0_24
 subnet 10.4.0.0 255.255.255.0
object network obj_192.168.200.0_24
 subnet 192.168.200.0 255.255.255.0
nat (inside,outside) source static obj_10.5.0.0_24 obj_pat_address dest static obj_10.4.0.0_24 obj_10.4.0.0_24
nat (inside,outside) source dynamic obj_10.5.0.0_24 obj_pat_address dest static obj_192.168.200.0_24 obj_192.168.200.0_24
route outside 10.4.0.0 255.255.255.0 x.x.x.x
route outside 192.168.200.0 255.255.255.0 x.x.x.x

Hope this helps somebody.

Cisco ASA5505 Clientless VPN/CIFS Configuration Questions

After a long period of experimentation and follow-up with Cisco, I've got the following answers:

There is no recycle bin equivalent when deleting CIFS files from a Windows server via the clientless VPN.
There is no way to enable any kind of confirmation dialogue for file deletions at this point in time. So people can be trying to click the "favourite" button, be off by a millimetre, and accidentally delete with no confirmation and no trash to recover from. :-( They've put in the ability to turn on confirmations as a feature request, but there's no timeline on when it might be implemented. So guess we won't be using this feature, which is sad.
I added our nbns server to the Cisco config, and now clicking the Browse entire network button shows me the domain. However, when I click on the domain, it says "Failed to retrieve servers". A had a support tech look at this, and he said the config all looks fine, and he found a few other instances of this for other users. He said he'd investigate and get back to me.

While waiting, I disabled file browsing. A few days later, when he wanted me to show him the issue, I turned it back on and it was working! (There's still a second domain showing in there that isn't on my nbns server...still no idea what the deal is with that. But the real domain is working.) So I don't know if the browsing just basically needed a kick in the pants after I added the nbns server config? No idea. But it's okay now.

Having some links that use the clientless VPN and some that don't is in fact possible through content-rewrite rules (http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/asdm64/configuration_guide/asdm_64_config/vpn_clientless_ssl.html#wp2389515)

"By default, the security appliance rewrites, or transforms, all clientless traffic. You might not want some applications and web resources (for example, public websites) to go through the ASA. The ASA therefore lets you create rewrite rules that let users browse certain sites and applications without going through the ASA. This is similar to split-tunneling in an IPSec VPN connection."

However - and I have confirmation of this from a Cisco support rep to back up my test results - this does not work in combination with SSO. If you're using the rewrite rules you cannot send parameters of any kind.

Best Answer

Related Solutions

Cisco ASA – Configuring Spoke-to-Spoke with NAT 9.1

Cisco ASA5505 Clientless VPN/CIFS Configuration Questions

Related Topic