cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


878
Views
0
Helpful
10
Replies
Highlighted

ASA5505 https filtering

hi everybody,

I'd like to ask if it is possibility to block only gmail.com. gmail uses https. I don' t want to block google.com and I need to pass a few https web sites.

maybe it will be better when I block all https flow and pass only a few https web sites

thanks

Robert

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Participant

ASA5505 https filtering

Robert,

I am sorry I forgot for a second that you have an ASA5505. Then your best option is a websense device doing deep HTTPS filtering.

Regards,

Juan Lombana

Please rate helpful posts.

View solution in original post

10 REPLIES 10
Participant

ASA5505 https filtering

Robert,

You can filter connection requests that originate outobund although you can  use acces list in order to prevent outbound access to  specific content servers, it is difficult to manage usage this way  because of the size and dynamic nature of the Internet, regular ACL can block gmail.com IP address (whatever resolves on the nslookup) but if the IP change (most likely) then the ASA allows gmail to go through.

You can simplify  configuration and improve security appliance performance with the use  of a separate server that runs Internet filtering product such as websense or N2H2.

CSC module also offers URL content filtering features that can block HTTPS request.

Regards,

Juan Lombana

Please rate helpful posts.

ASA5505 https filtering

hi Juan,

thanks for your answer, but CSC module is not suitable for ASA5505.

regards

Robert

Participant

ASA5505 https filtering

Robert,

I am sorry I forgot for a second that you have an ASA5505. Then your best option is a websense device doing deep HTTPS filtering.

Regards,

Juan Lombana

Please rate helpful posts.

View solution in original post

ASA5505 https filtering

Juan,

so we've got 2 options:

1. pricier: purchase of a websense device

or

2. cheaper: creating ACL and checking gmail.com IP addrerss every day.

regards

Robert

Mentor

Re: ASA5505 https filtering

Hi,

In the newer ASA softwares its possible to configure the ASA to do DNS lookups and use FQDN in the access-list.

ASA will then update the IP address every now and then to the access-list rule using the FQDN.

Though this is not a very efficient way to block the site by itself.

- Jouni

ASA5505 https filtering

hi Jouni,

I use the newest vesion of ASA software (9.0.1)

could you tell me how to configure it in a few steps?

Mentor

Re: ASA5505 https filtering

Hi,

The very simplest version would be this

I configured this on my home ASA just now

  • WAN = my "outside" interface
  • LAN-IN = my local LANs interface ACL

dns domain-lookup WAN

dns server-group DefaultDNS

name-server x.x.x.x

name-server y.y.y.y

object network GMAIL

fqdn gmail.google.com

access-list LAN-IN line 1 deny ip any object GMAIL

show access-list LAN-IN

access-list LAN-IN line 1 extended deny ip any object GMAIL 0x6eafaae2

  access-list LAN-IN line 1 extended deny ip any fqdn gmail.google.com (resolved) 0x14e1856b

  access-list LAN-IN line 1 extended deny ip any host 173.194.32.39 (gmail.google.com) (hitcnt=0) 0x6eafaae2

  access-list LAN-IN line 1 extended deny ip any host 173.194.32.40 (gmail.google.com) (hitcnt=0) 0x6eafaae2

  access-list LAN-IN line 1 extended deny ip any host 173.194.32.34 (gmail.google.com) (hitcnt=0) 0x6eafaae2

  access-list LAN-IN line 1 extended deny ip any host 173.194.32.32 (gmail.google.com) (hitcnt=0) 0x6eafaae2

  access-list LAN-IN line 1 extended deny ip any host 173.194.32.41 (gmail.google.com) (hitcnt=0) 0x6eafaae2

  access-list LAN-IN line 1 extended deny ip any host 173.194.32.33 (gmail.google.com) (hitcnt=0) 0x6eafaae2

  access-list LAN-IN line 1 extended deny ip any host 173.194.32.36 (gmail.google.com) (hitcnt=0) 0x6eafaae2

  access-list LAN-IN line 1 extended deny ip any host 173.194.32.35 (gmail.google.com) (hitcnt=0) 0x6eafaae2

  access-list LAN-IN line 1 extended deny ip any host 173.194.32.38 (gmail.google.com) (hitcnt=0) 0x6eafaae2

  access-list LAN-IN line 1 extended deny ip any host 173.194.32.37 (gmail.google.com) (hitcnt=0) 0x6eafaae2

  access-list LAN-IN line 1 extended deny ip any host 173.194.32.46 (gmail.google.com) (hitcnt=0) 0x6eafaae2

Though I kinda have a feeling this might block something you are not wanting to block.

I guess some solution might be to block DNS replies from coming in when the host queries for the gmail DNS name.

- Jouni

ASA5505 https filtering

Juoni,

but in this way won't we block all the google.com?

Robert

Mentor

ASA5505 https filtering

Hi,

In cases like Google or Facebook I'm afraid this wont be that good solution or might not even work that well.

And usually there is some way around it anyway

- Jouni

Participant

ASA5505 https filtering

Robert,

At the end the ASA is not your best option to block based on URL's. A URL filtering device such as websense is your best option, I know it is expensive however it is design for this type of blocking.

Regards,

Juan Lombana

Please rate helpful posts.

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here