Solved: ASA5505 https filtering

robert_bukowicki · ‎12-06-2012

hi everybody,

I'd like to ask if it is possibility to block only gmail.com. gmail uses https. I don' t want to block google.com and I need to pass a few https web sites.

maybe it will be better when I block all https flow and pass only a few https web sites

thanks

Robert

julomban · ‎12-06-2012

Robert,

I am sorry I forgot for a second that you have an ASA5505. Then your best option is a websense device doing deep HTTPS filtering.

Regards,

Juan Lombana

Please rate helpful posts.

View solution in original post

julomban · ‎12-06-2012

Robert,

You can filter connection requests that originate outobund although you can use acces list in order to prevent outbound access to specific content servers, it is difficult to manage usage this way because of the size and dynamic nature of the Internet, regular ACL can block gmail.com IP address (whatever resolves on the nslookup) but if the IP change (most likely) then the ASA allows gmail to go through.

You can simplify configuration and improve security appliance performance with the use of a separate server that runs Internet filtering product such as websense or N2H2.

CSC module also offers URL content filtering features that can block HTTPS request.

Regards,

Juan Lombana

Please rate helpful posts.

robert_bukowicki · ‎12-06-2012

hi Juan,

thanks for your answer, but CSC module is not suitable for ASA5505.

regards

Robert

julomban · ‎12-06-2012

Robert,

I am sorry I forgot for a second that you have an ASA5505. Then your best option is a websense device doing deep HTTPS filtering.

Regards,

Juan Lombana

Please rate helpful posts.

robert_bukowicki · ‎12-06-2012

Juan,

so we've got 2 options:

1. pricier: purchase of a websense device

or

2. cheaper: creating ACL and checking gmail.com IP addrerss every day.

regards

Robert

Jouni Forss · ‎12-06-2012

Hi,

In the newer ASA softwares its possible to configure the ASA to do DNS lookups and use FQDN in the access-list.

ASA will then update the IP address every now and then to the access-list rule using the FQDN.

Though this is not a very efficient way to block the site by itself.

- Jouni

robert_bukowicki · ‎12-06-2012

hi Jouni,

I use the newest vesion of ASA software (9.0.1)

could you tell me how to configure it in a few steps?

Jouni Forss · ‎12-06-2012

Hi,

The very simplest version would be this

I configured this on my home ASA just now

WAN = my "outside" interface
LAN-IN = my local LANs interface ACL

dns domain-lookup WAN

dns server-group DefaultDNS

name-server x.x.x.x

name-server y.y.y.y

object network GMAIL

fqdn gmail.google.com

access-list LAN-IN line 1 deny ip any object GMAIL

show access-list LAN-IN

access-list LAN-IN line 1 extended deny ip any object GMAIL 0x6eafaae2

access-list LAN-IN line 1 extended deny ip any fqdn gmail.google.com (resolved) 0x14e1856b

access-list LAN-IN line 1 extended deny ip any host 173.194.32.39 (gmail.google.com) (hitcnt=0) 0x6eafaae2

access-list LAN-IN line 1 extended deny ip any host 173.194.32.40 (gmail.google.com) (hitcnt=0) 0x6eafaae2

access-list LAN-IN line 1 extended deny ip any host 173.194.32.34 (gmail.google.com) (hitcnt=0) 0x6eafaae2

access-list LAN-IN line 1 extended deny ip any host 173.194.32.32 (gmail.google.com) (hitcnt=0) 0x6eafaae2

access-list LAN-IN line 1 extended deny ip any host 173.194.32.41 (gmail.google.com) (hitcnt=0) 0x6eafaae2

access-list LAN-IN line 1 extended deny ip any host 173.194.32.33 (gmail.google.com) (hitcnt=0) 0x6eafaae2

access-list LAN-IN line 1 extended deny ip any host 173.194.32.36 (gmail.google.com) (hitcnt=0) 0x6eafaae2

access-list LAN-IN line 1 extended deny ip any host 173.194.32.35 (gmail.google.com) (hitcnt=0) 0x6eafaae2

access-list LAN-IN line 1 extended deny ip any host 173.194.32.38 (gmail.google.com) (hitcnt=0) 0x6eafaae2

access-list LAN-IN line 1 extended deny ip any host 173.194.32.37 (gmail.google.com) (hitcnt=0) 0x6eafaae2

access-list LAN-IN line 1 extended deny ip any host 173.194.32.46 (gmail.google.com) (hitcnt=0) 0x6eafaae2

Though I kinda have a feeling this might block something you are not wanting to block.

I guess some solution might be to block DNS replies from coming in when the host queries for the gmail DNS name.

- Jouni

robert_bukowicki · ‎12-06-2012

Juoni,

but in this way won't we block all the google.com?

Robert

Jouni Forss · ‎12-06-2012

Hi,

In cases like Google or Facebook I'm afraid this wont be that good solution or might not even work that well.

And usually there is some way around it anyway

- Jouni

julomban · ‎12-06-2012

Robert,

At the end the ASA is not your best option to block based on URL's. A URL filtering device such as websense is your best option, I know it is expensive however it is design for this type of blocking.

Regards,

Juan Lombana

Please rate helpful posts.