Cisco ASA’s en HTTP / L7 inspection

With Cisco ASA’s you can open HTTP network traffic so you can inspect it and even block websites if you want to. Remember that this only works for non-encrypted traffic, if you want to inspect encrypted traffic you gonna need a solution where you can do a MITM (Man In The Middle) attack.

Here you have a very simple example where the dutch website “” is being blocked for clients in VLAN 10 with a IPv4 address in the network.

access-list ACL-CMAP-VLAN10-HTTP extended permit tcp any eq www
class-map type regex match-any CMAP-REGEX-HTTP
match regex URL-AUTOBLOG.NL
class-map CMAP-VLAN10-HTTP
match access-list ACL-CMAP-VLAN10-HTTP
policy-map type inspect http PMAP-VLAN10-HTTP
match request header host regex class CMAP-REGEX-HTTP
reset log

service-policy PMAP-VLAN10 interface VLAN10