Let’s show the configuration steps needed to filter HTTP traffic to desired websites using the Cisco ASA inspection engine.

First step, define the list of domains we want to filter:

regex domain_1 "microsoft.com"  
regex domain_2 "cisco.com"  
regex domain_3 "vmware.com"

Define the regex class that will contain the domains list:

class-map type regex match-any domain_list  
 match regex domain_1  
 match regex domain_2  
 match regex domain_3

Add the inspection class that will handle the traffic:

class-map type inspect http match-all domain_class  
 match request header host regex class domain_list

Add the inspection policy and the action to perform when those domains are detected in the requests:

policy-map type inspect http domain_policy  
 parameters  
 class domain-class  
 reset log

If we want this policy enabled globally in our ASA we can add it to the default inspection. If we need to apply it to specific interfaces or only to some sources then we will need to add and configure additional policies and maybe add some access-lists to filter the origin of the traffic. For a simple example we will add it globally to the default policy:

policy-map global_policy  
 class inspection_default  
 inspect http domain-policy

And that’s all. Small remark, if we need to block all the requests and allow only the domains in our list then we need to change the match statement in the inspection class, like here:

class-map type inspect http match-all domain_class  
 match not request header host regex class domain_list

Cheers,