cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2718
Views
5
Helpful
6
Replies

ASA 5508X web filtering

Kt43387
Level 1
Level 1

Hi All,

 

I need to apply web filtering for a few users in ASA 5508(7.8) on subnet 192.1683.0.

 

like, from this subnet, few users should get access to Gmail only. another few users should get a complete block.

 

Please let me know the best way to achieve this.

 

I have firepower module.

 

Thanks

Krishna

6 Replies 6

Marvin Rhoads
Hall of Fame
Hall of Fame

Do you have the URL filtering license for your Firepower service module? That's a prerequisite to do this.

Do you know the IP addresses of the users you want to allow? You either need to know their IP addresses in advance or else have an external identity source like Cisco ISE or Firepower user agent to get that information dynamically by querying your Active Directory (AD) Domain Controllers (DCs).

HI @Marvin Rhoads  Yes, we have a firepower module and a list of IP addresses of the users.

 

We simply want to create 2 objects with IP address and apply the filtering on them.

 

 

Since you confirmed you have License for the SFR.

 

below Video should able to help you to start with for better understanding  :

 

http://www.labminutes.com/sec0170_asa_firepower_url_web_category_filtering_1

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help


@Kt43387 wrote:

HI @Marvin Rhoads  Yes, we have a firepower module and a list of IP addresses of the users.

 

We simply want to create 2 objects with IP address and apply the filtering on them.

 

 


You need more than just the module. You specifically need the URL Filtering license.

HI @Marvin Rhoads   one more thing, I need to access ASA from the outside network, i.e public network over Https and SSH, how can I achieve this.

 

Thanks

Krishna

You control ASA management access with the http and ssh commands. It's not a good idea to allow public-facing access as it makes your device a more attractive target for malicious software (hackers, script kiddies etc.).

If you absolutely must (or don't care) then use the commands as follows:

http outside 0.0.0.0 0.0.0.0
ssh outside 0.0.0.0 0.0.0.0

That assumes the nameif of the public interface is "outside" and that you want to allow access from any address.

Review Cisco Networking for a $25 gift card