topic Re: ASA and BASIC URL filtering in Network Security

ASA and BASIC URL filtering

gpedretty — Mon, 11 Mar 2019 09:01:53 GMT

I did a quick search, and found some related threads, but nothing that really definitively answered my question. My organization needs to do some BASIC URL filtering- just block a couple of websites such as myspace.com and the like-obviously, for something like this, we don't need the cost or complexity of commercial solutions such as a websense server. My question for the group is is there a way to set up an ASA 5510 for this type of basic filtering? If not, as what I have seen would appear to imply, might someone have a suggestion for some other, preferably free, solution?

On a related note, if this is not possible with the ASA, then what exactly does the service policy and associated HTTP Inspection map section of the ASA do (not the filter, but the service policy)? The documentation I have been able to find has just left me confused- it would seem to be geared towards people who already know what the feature is/does, and just want to know how to set it up.

Thanks for any assistance anyone can provide

--------

Israel Brewster

Computer support Technician

Frontier Flying Service

Fairbanks, AK

Re: ASA and BASIC URL filtering

mike.neilson — Wed, 29 Nov 2006 03:01:42 GMT

you can use the shun command or a class map. The only issue is you will need to lookup the ip address for the sites and block them or block the sub-net if you can find there block on arin.

Shun example:

shun x.x.x.x

Class-map example:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080624e19.shtml

Re: ASA and BASIC URL filtering

gpedretty — Wed, 29 Nov 2006 20:01:52 GMT

Thanks, that worked, although it would appear that the shun command is not saved across restarts. This is easily worked around, however, by blocking the IP's in the firewall rather than with the shun command. This method does, of course, have the caveat that you need to track down all the IP's for the problem site- I take it there is no way to do this by blocking the URL without needing some commercial product? Thanks.

Re: ASA and BASIC URL filtering

ibrewster — Tue, 05 Dec 2006 19:43:21 GMT

Is there any way to do this using URL's/URI's rather than IP's? with the multiple IP setup that many websites have, blocking by IP becomes rather cumbersome rather quickly. Thanks

----

Israel Brewster

Re: ASA and BASIC URL filtering

ibrewster — Thu, 21 Dec 2006 03:51:19 GMT

Am I to assume from the lack of response that what I want to do isn't possible? What if we were to get one of the add-on cards for the ASA- could we do this sort of thing then? I guess what this boils down to is what is the cheapest/easiest way to filter traffic based on the URL rather than the IP, preferably without having to add more hardware/software to our network. I'd appreciate any feedback on the subject. Thanks.

Re: ASA and BASIC URL filtering

l.tating — Thu, 21 Dec 2006 06:38:44 GMT

Hello!

I have also the same predicament. I am currently working on a ASA5520 with CSC SSM on it. Im trying to test URL blocking, but Im not sucessful. Is it absolutely necessary to have Websense or N2H2 to successfully filter or block URLs? I want to know if ASA CSC SSM can to the URL blocking by itself. Is there somebody in Cisco who can give us a definitive answer about the CSC? I tried to read the "Online HELP" but does not seem to give any help at all.

Lorenz

Re: ASA and BASIC URL filtering

0r8it — Fri, 22 Dec 2006 11:12:59 GMT

I dont think you can so this with the ASA in solo. I would recommend an alternative- why not install a 'free' Squid-based proxy server? This will give you much more control, reporting, caching even, if needed. I wouldn't feel comfortable with having all my internal clients pointing straight at my firewall, in any case. I believe the latest version of ASA code also supports WCCP (as I believe Squid does- though I haven't tried it), so you can make this a semi-transparent proxy without setting up proxy config on the workstations.

regards

Gary

Re: ASA and BASIC URL filtering

ryan_holland — Fri, 22 Dec 2006 22:57:43 GMT

There are two options that you can use on the CSC-SSM, both do require the use of the Plus license.

First if you only want to block a few sites by name, ie. myspace.com, you can use the URL Blocking portion of CSC.

The other method would be to use URL Filtering, this is a service on the CSC that will allow categorization of websites from TrendLabs and allow an administrator to allow or block web pages based on category, similar to Websense/N2H2.

If you have this configured and it is not blocking, you should check first that you have URL Blocking/Filtering enabled and second that you have a security policy setup correctly to forward web traffic to the CSC.

to do that you would create a class-map that matches www and then create a policy-map that enables CSC scanning and then tie the policy to either an interface or the global configuration. A simple CLI configuration of this is below:

class-map www-class

match port tcp eq www

policy-map outside_policy

class www-class

csc fail-open

service-policy outside_policy interface outside

Re: ASA and BASIC URL filtering

sdesteuben — Thu, 05 Jul 2007 01:27:39 GMT

I too have been looking for a "cheep" way to block just myspace utube just the basic non work sites. funny thing is the simplist way i found (i regret to admit on cisco site) i put the one guy who can't stay away from myspace behind a $20 netgear and told it to block the keyword myspace. he can't even search for it on google. no why can't a pix do what a $20 netgear does? ofcourse the $20 netgear can't do what the pix does.

just a strange senerio

Re: ASA and BASIC URL filtering

shivlu jain — Thu, 05 Jul 2007 03:21:59 GMT

hi dear

even you can use the DNS to resolve the IP address for the particular site after that make a access list to block the IPS.It is the very cheap and best solution.

shivlu

Re: ASA and BASIC URL filtering

bhorta — Sun, 08 Jul 2007 02:59:29 GMT

It is pretty trivial to block myspace and youtube for example. Just ping http://www.myspace.com and http://www.youtube.com and you will get the IP address for them.

for http://www.myspace.com you get 216.178.38.130

then you go to http://www.arin.net and plug in that IP address and arin will spit out the CIDR for that range. 216.178.32.0/20

and just create an object group called bannedsites, stick the ip CIDRs of areas you want to block in the object group then create an ACL using the object group that blocks traffic outbound to those networks from the inside interface out (PIX by default allows all traffic from the inside out) Just do not forget to put a permit any any at the end

you can even turn on logging to log who is attempting to access those sites.

Re: ASA and BASIC URL filtering

ibrewster — Mon, 09 Jul 2007 14:55:19 GMT

Which is exactly what I have ended up doing, it's just not as nice or easy as simply saying "block myspace.com" 🙂

Re: ASA and BASIC URL filtering

scc_fwnaps — Fri, 07 Sep 2007 18:09:11 GMT

How did you do it? I tried it and was still able to nav to myspace and youtube. If you can please let me know. I used the ASDM to configure the rule. Was that my mistake? Thank you in advance for all you help.

Josiah

Re: ASA and BASIC URL filtering

ibrewster — Fri, 07 Sep 2007 19:33:38 GMT

I used ASDM as well, so it should work just fine. For MySpace I ended up blocking 216.178.32.0 with a netmask of 255.255.240.0. this was determined by pinging www.myspace.com, taking the ip address that gives me, and then running a whois on that IP (i.e. whois 216.178.38.104) - the value you are looking for is the CIDR or NetRange. In ASDM, i then set up a rule to deny incoming on the inside interface from all to the previously determined net range, protocol ip. This has worked for me so far with all sites I have tried to block.

Re: ASA and BASIC URL filtering

sarah.doyle — Thu, 20 Dec 2007 15:06:40 GMT

Sweet, worked for me from ASDM.

Thanks

Re: ASA and BASIC URL filtering

kamran.cisco — Wed, 02 Jan 2008 11:06:06 GMT

yes it is working sucessfuly for my asa 5505