https://community.cisco.com/t5/network-security/restriction-of-web-sites/m-p/1205142#M835662 <HTML><HEAD></HEAD><BODY><P>I believe you can only block certain websites, rather than allow certain websites, therefore regexp is no use to you really.</P><P>REGEXP config example here:</P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940c5a.shtml" target="_blank">http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940c5a.shtml</A></P><P></P><P></P><P>Only other option (and it costs) is to purchase a CSC-SSM module. More info here:</P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/ps6823/product_data_sheet0900aecd80402e4f_ps6120_Products_Data_Sheet.html" target="_blank">http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/ps6823/product_data_sheet0900aecd80402e4f_ps6120_Products_Data_Sheet.html</A></P><P></P><P>Good luck <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P></BODY></HTML> Fri, 15 May 2009 13:44:58 GMT handsy 2009-05-15T13:44:58Z https://community.cisco.com/t5/network-security/restriction-of-web-sites/m-p/1205141#M835660 <P>Greetings, All.</P><P></P><P>Due to a *very* stringent security policy, the users behind a specific ASA 5505 (v 8.04) will only be allowed to access a limited number of web sites. For simplicities sake, let's just say they can only access <A class="jive-link-custom" href="http://www.espn.com" target="_blank">www.espn.com</A> and <A class="jive-link-custom" href="http://www.yahoo.com," target="_blank">www.yahoo.com,</A> and nothing else. </P><P></P><P>I've monkeyed with the configs a bit and haven't had any luck. I've attached the config with which I've tried to make this happen. Perhaps I'm close? Is my access list jacked? With this config, everything is blocked...including espn and yahoo. Not exactly what I want. </P><P></P><P>URL filtering is not an option as WebSense will be too costly. </P><P></P><P>I do know that you can keep users from visiting specific sites (gambling, porn, etc;), but what if you want to keep the users from visiting any site except maybe 1 or 2?</P><P></P><P>Thanks in advance. </P><P></P><P> </P><P></P> Mon, 11 Mar 2019 15:32:50 GMT https://community.cisco.com/t5/network-security/restriction-of-web-sites/m-p/1205141#M835660 cavemanbobby 2019-03-11T15:32:50Z https://community.cisco.com/t5/network-security/restriction-of-web-sites/m-p/1205142#M835662 <HTML><HEAD></HEAD><BODY><P>I believe you can only block certain websites, rather than allow certain websites, therefore regexp is no use to you really.</P><P>REGEXP config example here:</P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940c5a.shtml" target="_blank">http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940c5a.shtml</A></P><P></P><P></P><P>Only other option (and it costs) is to purchase a CSC-SSM module. More info here:</P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/ps6823/product_data_sheet0900aecd80402e4f_ps6120_Products_Data_Sheet.html" target="_blank">http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/ps6823/product_data_sheet0900aecd80402e4f_ps6120_Products_Data_Sheet.html</A></P><P></P><P>Good luck <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P></BODY></HTML> Fri, 15 May 2009 13:44:58 GMT https://community.cisco.com/t5/network-security/restriction-of-web-sites/m-p/1205142#M835662 handsy 2009-05-15T13:44:58Z https://community.cisco.com/t5/network-security/restriction-of-web-sites/m-p/1205143#M835665 <HTML><HEAD></HEAD><BODY><P>You can limit where people go with regex and class maps. I have a handful of users that are only allowed to go to certain sites, and here's what I did:</P><P></P><P>Create your acl:</P><P></P><P>access-list RESTRICTED permit ip host 192.168.1.5 any</P><P></P><P>Match that ACL:</P><P></P><P>class-map RESTRICTED</P><P>match access-list RESTRICTED</P><P></P><P>Create your regex:</P><P></P><P>regex espn "\.espn\.com"</P><P></P><P>Create your regex class-map:</P><P></P><P>class-map type regex match-any Internet_Allowed</P><P>match regex espn</P><P></P><P>Inspect the regex class map, but only allow what DOESN'T match:</P><P></P><P>class-map type inspect http match-all INTERNET_RESTRICTED</P><P> match not request header host regex class Internet_Allowed</P><P></P><P>Create a policy map to perform actions on above:</P><P></P><P>policy-map type inspect http RESTRICTED_INTERNET</P><P>class INTERNET_RESTRICTED</P><P> reset log</P><P></P><P>(The reset above will reset any connection that DOESN'T match your regex. It allows only espn.com.)</P><P></P><P>Then create a policy to apply to the inside interface:</P><P></P><P>policy-map INSIDE</P><P>class RESTRICTED</P><P>inspect http RESTRICTED_INTERNET</P><P></P><P>(The class above matches the acl for your hosts, and the it applies the other policy map RESTRICTED_INTERNET to scan against your acl.)</P><P></P><P>HTH,</P><P>John</P></BODY></HTML> Fri, 15 May 2009 14:46:43 GMT https://community.cisco.com/t5/network-security/restriction-of-web-sites/m-p/1205143#M835665 John Blakley 2009-05-15T14:46:43Z