https://community.cisco.com/t5/network-security/acl-question/m-p/996729#M918101 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>Modular policy framework allow you to do that.</P><P>Please check the document below at the section HTTP inspection policy map</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/asacfg72.pdf" target="_blank">http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/asacfg72.pdf</A></P><P></P><P>Regards</P><P></P></BODY></HTML> Thu, 19 Jun 2008 13:22:32 GMT Amadou TOURE 2008-06-19T13:22:32Z https://community.cisco.com/t5/network-security/acl-question/m-p/996726#M918098 <P>How do I create an ACL that would only allow specific sites to go through if I didn't know the IP and only know the DNS name. Say I want to allow only these two sites *.cisco.com and *.yahoo.com then block all others. Can I do that?</P><P></P><P>This is on an ASA 5510.</P> Mon, 11 Mar 2019 13:01:31 GMT https://community.cisco.com/t5/network-security/acl-question/m-p/996726#M918098 ericluoma 2019-03-11T13:01:31Z https://community.cisco.com/t5/network-security/acl-question/m-p/996727#M918099 <HTML><HEAD></HEAD><BODY><P>AFAIK this is not supported on the ASA/PIX.</P><P></P><P>Regards</P><P></P><P>Farrukh</P></BODY></HTML> Thu, 19 Jun 2008 12:33:47 GMT https://community.cisco.com/t5/network-security/acl-question/m-p/996727#M918099 Farrukh Haroon 2008-06-19T12:33:47Z https://community.cisco.com/t5/network-security/acl-question/m-p/996728#M918100 <HTML><HEAD></HEAD><BODY><P>url filtering possible in ASA using Cisco ASA 5500 Series Content Security Edition.</P><P>pls go thru this link.</P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_brochure0900aecd80402e88.html" target="_blank">http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_brochure0900aecd80402e88.html</A></P></BODY></HTML> Thu, 19 Jun 2008 13:20:25 GMT https://community.cisco.com/t5/network-security/acl-question/m-p/996728#M918100 rangaswamy.gb 2008-06-19T13:20:25Z https://community.cisco.com/t5/network-security/acl-question/m-p/996729#M918101 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>Modular policy framework allow you to do that.</P><P>Please check the document below at the section HTTP inspection policy map</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/asacfg72.pdf" target="_blank">http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/asacfg72.pdf</A></P><P></P><P>Regards</P><P></P></BODY></HTML> Thu, 19 Jun 2008 13:22:32 GMT https://community.cisco.com/t5/network-security/acl-question/m-p/996729#M918101 Amadou TOURE 2008-06-19T13:22:32Z https://community.cisco.com/t5/network-security/acl-question/m-p/996730#M918102 <HTML><HEAD></HEAD><BODY><P>amadoutoure, how does MPF achive that? Can you expand upon your comment.</P><P></P><P>How will MPF keep track of the DNS entry of cisco.com (which say changes frequently).</P><P>Ever did a nslookup on google.com (you get multiple IPs)?</P><P></P><P>We do this on one of our Customer's Netscreen ISG tough, it supports this.</P><P></P><P>Regards</P><P></P><P>Farrukh</P></BODY></HTML> Thu, 19 Jun 2008 15:42:02 GMT https://community.cisco.com/t5/network-security/acl-question/m-p/996730#M918102 Farrukh Haroon 2008-06-19T15:42:02Z https://community.cisco.com/t5/network-security/acl-question/m-p/996731#M918103 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>I'm out of office for now and I'll send a sample config as soon as I go back to office.</P><P>It will be done using regex syntax.</P><P></P><P>Regards</P><P></P></BODY></HTML> Thu, 19 Jun 2008 16:04:03 GMT https://community.cisco.com/t5/network-security/acl-question/m-p/996731#M918103 Amadou TOURE 2008-06-19T16:04:03Z https://community.cisco.com/t5/network-security/acl-question/m-p/996732#M918104 <HTML><HEAD></HEAD><BODY><P>Oh I get your point now. Thanks for waking me up now. Even tough its not as flexible as a proper filtering solution (because since we are denying based on hostname, the user can simply open the URL by IP, open google's cache etc.):</P><P></P><P>policy-map type inspect http TEST_HTTP</P><P> parameters</P><P> match request uri regex cisco.com</P><P>.....</P><P></P><P>Something like this:</P><P><A class="jive-link-custom" href="http://www.internetworkpro.org/wiki/ASA_and_PIX_using_http_inspection_to_filter_URLs_and_Hosts_in_HTTP" target="_blank">http://www.internetworkpro.org/wiki/ASA_and_PIX_using_http_inspection_to_filter_URLs_and_Hosts_in_HTTP</A></P><P></P><P> Regards</P><P></P><P>Farrukh</P><P></P><P></P></BODY></HTML> Thu, 19 Jun 2008 16:19:01 GMT https://community.cisco.com/t5/network-security/acl-question/m-p/996732#M918104 Farrukh Haroon 2008-06-19T16:19:01Z https://community.cisco.com/t5/network-security/acl-question/m-p/996733#M918105 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>Right it's something like that... you have a very good point with accessing directly with IP address in URL.</P><P></P><P>But you could filter by content-type and application header and aslo deny accessing with IP address in url.</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/warp/public/110/asa-8x-regex-config.html" target="_blank">http://www.cisco.com/warp/public/110/asa-8x-regex-config.html</A></P><P></P><P>However you're definitely right that it's not the finest way to filter.</P><P></P><P>Regards</P></BODY></HTML> Thu, 19 Jun 2008 16:41:52 GMT https://community.cisco.com/t5/network-security/acl-question/m-p/996733#M918105 Amadou TOURE 2008-06-19T16:41:52Z