We want to deny all outbound web access except to a group of about 10 whitelist URL domains on an ASA 5525-X with FirePOWER services. Is it possible to do this on the ASA without an add-on FirePower license? Will this have a significant performance impact?
It is possible to create an object within the ASA using a FQDN. To do this the ASA has to be able to resolve names.
dns domain-lookup inside
dns server-group DefaultDNS
Example of a FQDN object
object network site.example.com
You then put this into an ACL. i.e. access-list inside-in extended permit tcp object inside-networks object site.example.com eq www
Note issues will occur if a site utilises global load balancers, where your inside clients resolve site.example.com as xyz but the ASA gets the IP zyx. Also, you can't do wildcards i.e. *.microsoft.com
Ultimately, if it's really basic you can do it. Otherwise you need something designed for a web gateway.
You can build one as example shown below document.
The MPF/regex-based approach doesn't require the Firepower service module at all. No special ASA license is required - just the base software.
I almost never see it in use in live networks though as it never caught on since it's so burdensome to configure.
A much more sustainable solution is to use Firepower with URL Filtering or, better yet, Cisco Umbrella.