10-21-2012 04:25 PM - edited 03-11-2019 05:12 PM
hi everybody
i use ASA 5510 and i want to block some urls :
192.168.2.70 to 79 allow every thing
192.168.2.80 to 89 : block facebook , myspace, twiter,
192.168.2.90 to 99 : block facebook , myspace, twiter, youtube , dailymotion
192.168.2.100 to 199 deny everting
Solved! Go to Solution.
10-21-2012 06:32 PM
Here we go:
regex domainFacebook "\.facebook\.com"
regex domainMyspace "\.myspace\.com"
regex domainTwitter "\.twitter\.com"
regex domainYoutube "\.youtube\.com"
regex domainDailymotion "\.dailymotion\.com"
class-map type regex match-any block-for-80-to-89
match regex domainFacebook
match regex domainMyspace
match regex domainTwitter
class-map type regex match-any block-for-90-to-99
match regex domainFacebook
match regex domainMyspace
match regex domainTwitter
match regex domainYoutube
match regex domainDailymotion
class-map type inspect http match-all block-80-89-class
match request header host regex class block-for-80-to-89
class-map type inspect http match-all block-90-99-class
match request header host regex class block-for-90-to-99
access-list match-80-89-acl permit tcp 192.168.2.80 255.255.255.248 any eq 80
access-list match-80-89-acl permit tcp 192.168.2.88 255.255.255.254 any eq 80
access-list match-90-99-acl permit tcp 192.168.2.90 255.255.255.254 any eq 80
access-list match-90-99-acl permit tcp 192.168.2.92 255.255.255.252 any eq 80
access-list match-90-99-acl permit tcp 192.168.2.96 255.255.255.252 any eq 80
class-map httptraffic80-89
match access-list match-80-89-acl
class-map httptraffic90-99
match access-list match-90-99-acl
policy-map type inspect http http_inspection_policy_80-89
class block-80-89-class
reset log
policy-map type inspect http http_inspection_policy_90-99
class block-90-99-class
reset log
policy-map inside-policy
class httptraffic80-89
inspect http http_inspection_policy_80-89
class httptraffic90-99
inspect http http_inspection_policy_90-99
service-policy inside-policy interface inside
Please kindly be advised that this is only for HTTP (not for HTTPS, as HTTPS is encrypted so it won't see the URL, therefore it can't be blocked).
On the inside ACL that is applied to the inside interface, you would also need to add the following:
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
10-21-2012 05:20 PM
Duplicate post.
Here is the same answer from the other post:
Here is a sample configuration that you can follow to block URLs using regular expressions:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940e04.shtml
Hope that helps.
10-21-2012 05:43 PM
Hi Jennifer
thank you for your reply, however, I have already seen this aricle and I have followed the steps, but I want to block all IP address of my networks, can you give me more specific
thank you
10-21-2012 06:32 PM
Here we go:
regex domainFacebook "\.facebook\.com"
regex domainMyspace "\.myspace\.com"
regex domainTwitter "\.twitter\.com"
regex domainYoutube "\.youtube\.com"
regex domainDailymotion "\.dailymotion\.com"
class-map type regex match-any block-for-80-to-89
match regex domainFacebook
match regex domainMyspace
match regex domainTwitter
class-map type regex match-any block-for-90-to-99
match regex domainFacebook
match regex domainMyspace
match regex domainTwitter
match regex domainYoutube
match regex domainDailymotion
class-map type inspect http match-all block-80-89-class
match request header host regex class block-for-80-to-89
class-map type inspect http match-all block-90-99-class
match request header host regex class block-for-90-to-99
access-list match-80-89-acl permit tcp 192.168.2.80 255.255.255.248 any eq 80
access-list match-80-89-acl permit tcp 192.168.2.88 255.255.255.254 any eq 80
access-list match-90-99-acl permit tcp 192.168.2.90 255.255.255.254 any eq 80
access-list match-90-99-acl permit tcp 192.168.2.92 255.255.255.252 any eq 80
access-list match-90-99-acl permit tcp 192.168.2.96 255.255.255.252 any eq 80
class-map httptraffic80-89
match access-list match-80-89-acl
class-map httptraffic90-99
match access-list match-90-99-acl
policy-map type inspect http http_inspection_policy_80-89
class block-80-89-class
reset log
policy-map type inspect http http_inspection_policy_90-99
class block-90-99-class
reset log
policy-map inside-policy
class httptraffic80-89
inspect http http_inspection_policy_80-89
class httptraffic90-99
inspect http http_inspection_policy_90-99
service-policy inside-policy interface inside
Please kindly be advised that this is only for HTTP (not for HTTPS, as HTTPS is encrypted so it won't see the URL, therefore it can't be blocked).
On the inside ACL that is applied to the inside interface, you would also need to add the following:
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
10-21-2012 06:38 PM
am not front of my asa right now , am gona to use your config tomorrow and am go back to you
thinks a lot for your help
10-21-2012 06:39 PM
No problem, let us know how it goes tomorrow.
10-26-2012 06:35 AM
hi jennifer ;
thinks a lot for your support
10-26-2012 06:41 AM
No problem...
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: