Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1871
Views
0
Helpful
4
Replies

URL Filtering on SSL-RAVPN User FDM 6.2.3

Yuslivan
Level 1
Level 1

‎07-08-2019 06:49 AM - edited ‎02-21-2020 09:17 AM

I already done the SSL VPN Remote Access setup, and user already can connect to inside network and access the internet following the company network (I dont use split tunnel for that connectivity). 

 

i enable the NAT Exempt and inside interface all inside zone interface.

 

I already set up the access control, to block some website, here my access control configuration

source :

- zone = outside

- address = object network user vpn (50.x/24) 

- port = ANY

destination : 

- zone = ANY

- address = ANY

- port = ANY

application : 

- youtube

url filtering : 

- object url : https://youtube.com, https://twitter.com

action : block

 

But user vpn still can access twitter and youtube.

is there any solution for this case?

 

thanks

1 person had this problem
0 Helpful
4 Replies 4

balaji.bandi
Hall of Fame
Hall of Fame

‎07-08-2019 03:54 PM

Make sure the VPN IP address have access rules

 

here is the example video how you can block the URLS

 

https://www.youtube.com/watch?v=VA2S5h3zeVc

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to balaji.bandi

‎07-08-2019 07:32 PM

@balaji.bandi I believe both youtube.com and twitter.com use both HTTP Strict Transport Security (HSTS) and Public Key Pinning (PKP). We can confirm this in Chrome via the query box at chrome://net-internals/#hsts

This creates a problem for a middleware box like Firepower since it cannot reliably intercept the traffic. For example, certificate SNI inspection doesn't work since yourtube.com uses *.google.com as its certificate.

The best and much more reliable way to block these clients is to use Cisco Umbrella which works by preventing the sites' DNS resolution and instead redirecting the client to a block page.

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to Marvin Rhoads

‎07-09-2019 12:22 AM

@Marvin Rhoads i can understand what you saying, but if the VPN Terminate in to FTD, (if the user do no have umbrella or other DNS Sec solution) - can we achieve this using ACL filtering with FQDN ( as per my understand FTD support this feature)

 

I do agree the video is bit away from this issue, The video just given example to understand how one can filter.

 

what would be the soluition or best approach, happy to hear / listen and understand what iam missing here ?

 

 

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to balaji.bandi

‎07-11-2019 08:16 AM - edited ‎07-11-2019 08:18 AM

Sorry for the delay - I had on my list to test this. I just checked it in my lab and found that www.twitter.com and www.youtube.com were blocked just fine with a URL filtering ACP rule.

I noticed the original post had "youtube" application in the policy. When my client was blocked it was categorized as simply "https" application and "ssl client".

Here're the working policy and results for me:

ACP Rule blocking URLs.PNGBlock results.PNG

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card