Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7761
Views
0
Helpful
3
Replies

ASA 5505 : how to block certain URL on certain users

chinyitee
Level 1
Level 1

‎05-21-2013 05:43 PM - edited ‎03-11-2019 06:46 PM

dear experts

I am using ASA5505 and I would like to block certain websites such as facebook.com on some users only

any idea how to do it ?

many thanks in advance & best regards !

Tee

Labels:
0 Helpful
3 Replies 3

Julio Carvajal
VIP Alumni
VIP Alumni

‎05-21-2013 06:36 PM

MPF and Regex will do it for you man

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940e04.shtml

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Patrick Moubarak
Level 4
Level 4
In response to Julio Carvajal

‎05-21-2013 07:44 PM

MPF and Regex will work for HTTP traffic not HTTPS since MPF cannot read the contents of the encrypted packets.

You want to do this on the DNS lookups level but if you do it on your DNS server, you can block facebook access for everyone but pointing an A-record of www.facebook.com to 127.0.0.1 or another non routable ip address...

For best results, you need a URL filtering solution or application firewall: ex: ASA-CX, Cisco WSA, websense or several others...

Something you can consider is identity-firewall combined with FQDN ACL:

As of 8.4(2) you can configure identity firewall so you can add access-list with Microsoft Active Directory usernames or groups instead of IP addresses:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/access_idfw.html

You can also create network objects with FQDNs ex: www.facebook.com instead of IP addresses and run DNS lookups from the ASA to resolve that. The issue here is that several websites are dynamic in nature and reply with dns records that have a very short time to live; so use with care. You should take a look at this document:

https://supportforums.cisco.com/docs/DOC-17014

Hope that helps,

Patrick

0 Helpful

chinyitee
Level 1
Level 1
In response to Patrick Moubarak

‎05-27-2013 05:34 PM

thanks mate, i think point it to 127.0.0.1 is the best option but may i know where & how to do it

i am very new to ASA5505 and Windows Server

thanks !

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card