topic Blocking websites with ASA in Network Security

Blocking websites with ASA

networker99 — Mon, 11 Mar 2019 21:19:05 GMT

I understand the ASA has limited functionality with website blocking, and that you have to create regular expressions. If you do this is it possible to create groups for the regular expressions? for example certain MAC addresses can get to all websites but others are restricted from some.

Blocking websites with ASA

Maykol Rojas — Wed, 31 Aug 2011 18:11:27 GMT

Hello,

Not really with mac-address but with IPs. You will match the hosts using ACLS.

Thanks.

Mike

Blocking websites with ASA

networker99 — Wed, 31 Aug 2011 18:16:34 GMT

Thank you for your reply, please could you post an example?

Blocking websites with ASA

Maykol Rojas — Wed, 31 Aug 2011 18:23:18 GMT

Here it goes:

access-list urlfilter permit tcp host x.x.x.x any eq 80

class-map httptraffic

match access-list urlfilter

regex domainlist3 "\.facebook\.com"

class-map type regex match-any DomainBlockList

match regex domainlist3

class-map type inspect http match-all BlockDomainsClass

match request header host regex class DomainBlockList

policy-map type inspect http http_inspection_policy

class BlockDomainsClass

reset log

policy-map inside-policy

class httptraffic

inspect http http_inspection_policy

service-policy inside-policy interface inside

If you denote, it is the same configuration posted here

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940e04.shtml

However, the only thing you need to modify is the class map called http traffic, which has the host that are going to match this policy.

Hope it helps.

Mike

Blocking websites with ASA

networker99 — Wed, 31 Aug 2011 18:37:11 GMT

okay great, so 2 questions.. would the following work? and am I correct in assuming that only those IP addresses listed in "urlfilter' will be subject to the filtering? and all others will be permitted?

access-list urlfilter permit tcp host 192.168.1.50 any eq 80

access-list urlfilter permit tcp host 192.168.1.51 any eq 80

access-list urlfilter permit tcp host 192.168.1.52 any eq 80

access-list urlfilter permit tcp host 192.168.1.53 any eq 80

class-map httptraffic

match access-list urlfilter

regex domainlist1 "\.facebook\.com"

regex domainlist2 "\.twitter\.com"

regex domainlist3 "\.myspace\.com"

regex domainlist4 "\.youtube\.com"

class-map type regex match-any DomainBlockList

match regex domainlist1

match regex domainlist2

match regex domainlist3

match regex domainlist4

class-map type inspect http match-all BlockDomainsClass

match request header host regex class DomainBlockList

policy-map type inspect http http_inspection_policy

class BlockDomainsClass

reset log

policy-map inside-policy

class httptraffic

inspect http http_inspection_policy

service-policy inside-policy interface inside

Blocking websites with ASA

Maykol Rojas — Wed, 31 Aug 2011 18:49:52 GMT

Correct! Only the IP addresses under urlfilter will be hitting this policy.

Mike Rojas

Security Technical Lead

Blocking websites with ASA

networker99 — Wed, 31 Aug 2011 18:51:20 GMT

Great, and the config looked okay? also rather than individual IPs, can I specify a subnet in the urlfilter list?

Blocking websites with ASA

Maykol Rojas — Wed, 31 Aug 2011 19:15:28 GMT

Hi,

Yes, it does look ok, you can specify subnets there too. In case you need to allow just one host on a subnet, you can also include a deny statement on that same access list so that one single host is not affected but the rest of the subnet is.

Mike

Blocking websites with ASA

networker99 — Wed, 31 Aug 2011 19:25:34 GMT

Great, thanks