12-06-2012 06:26 AM - edited 03-11-2019 05:33 PM
hi everybody,
I'd like to ask if it is possibility to block only gmail.com. gmail uses https. I don' t want to block google.com and I need to pass a few https web sites.
maybe it will be better when I block all https flow and pass only a few https web sites
thanks
Robert
Solved! Go to Solution.
12-06-2012 11:55 AM
Robert,
I am sorry I forgot for a second that you have an ASA5505. Then your best option is a websense device doing deep HTTPS filtering.
Regards,
Juan Lombana
Please rate helpful posts.
12-06-2012 07:56 AM
Robert,
You can filter connection requests that originate outobund although you can use acces list in order to prevent outbound access to specific content servers, it is difficult to manage usage this way because of the size and dynamic nature of the Internet, regular ACL can block gmail.com IP address (whatever resolves on the nslookup) but if the IP change (most likely) then the ASA allows gmail to go through.
You can simplify configuration and improve security appliance performance with the use of a separate server that runs Internet filtering product such as websense or N2H2.
CSC module also offers URL content filtering features that can block HTTPS request.
Regards,
Juan Lombana
Please rate helpful posts.
12-06-2012 11:45 AM
hi Juan,
thanks for your answer, but CSC module is not suitable for ASA5505.
regards
Robert
12-06-2012 11:55 AM
Robert,
I am sorry I forgot for a second that you have an ASA5505. Then your best option is a websense device doing deep HTTPS filtering.
Regards,
Juan Lombana
Please rate helpful posts.
12-06-2012 12:11 PM
Juan,
so we've got 2 options:
1. pricier: purchase of a websense device
or
2. cheaper: creating ACL and checking gmail.com IP addrerss every day.
regards
Robert
12-06-2012 12:15 PM
Hi,
In the newer ASA softwares its possible to configure the ASA to do DNS lookups and use FQDN in the access-list.
ASA will then update the IP address every now and then to the access-list rule using the FQDN.
Though this is not a very efficient way to block the site by itself.
- Jouni
12-06-2012 12:44 PM
hi Jouni,
I use the newest vesion of ASA software (9.0.1)
could you tell me how to configure it in a few steps?
12-06-2012 12:50 PM
Hi,
The very simplest version would be this
I configured this on my home ASA just now
dns domain-lookup WAN
dns server-group DefaultDNS
name-server x.x.x.x
name-server y.y.y.y
object network GMAIL
fqdn gmail.google.com
access-list LAN-IN line 1 deny ip any object GMAIL
show access-list LAN-IN
access-list LAN-IN line 1 extended deny ip any object GMAIL 0x6eafaae2
access-list LAN-IN line 1 extended deny ip any fqdn gmail.google.com (resolved) 0x14e1856b
access-list LAN-IN line 1 extended deny ip any host 173.194.32.39 (gmail.google.com) (hitcnt=0) 0x6eafaae2
access-list LAN-IN line 1 extended deny ip any host 173.194.32.40 (gmail.google.com) (hitcnt=0) 0x6eafaae2
access-list LAN-IN line 1 extended deny ip any host 173.194.32.34 (gmail.google.com) (hitcnt=0) 0x6eafaae2
access-list LAN-IN line 1 extended deny ip any host 173.194.32.32 (gmail.google.com) (hitcnt=0) 0x6eafaae2
access-list LAN-IN line 1 extended deny ip any host 173.194.32.41 (gmail.google.com) (hitcnt=0) 0x6eafaae2
access-list LAN-IN line 1 extended deny ip any host 173.194.32.33 (gmail.google.com) (hitcnt=0) 0x6eafaae2
access-list LAN-IN line 1 extended deny ip any host 173.194.32.36 (gmail.google.com) (hitcnt=0) 0x6eafaae2
access-list LAN-IN line 1 extended deny ip any host 173.194.32.35 (gmail.google.com) (hitcnt=0) 0x6eafaae2
access-list LAN-IN line 1 extended deny ip any host 173.194.32.38 (gmail.google.com) (hitcnt=0) 0x6eafaae2
access-list LAN-IN line 1 extended deny ip any host 173.194.32.37 (gmail.google.com) (hitcnt=0) 0x6eafaae2
access-list LAN-IN line 1 extended deny ip any host 173.194.32.46 (gmail.google.com) (hitcnt=0) 0x6eafaae2
Though I kinda have a feeling this might block something you are not wanting to block.
I guess some solution might be to block DNS replies from coming in when the host queries for the gmail DNS name.
- Jouni
12-06-2012 01:08 PM
Juoni,
but in this way won't we block all the google.com?
Robert
12-06-2012 01:12 PM
Hi,
In cases like Google or Facebook I'm afraid this wont be that good solution or might not even work that well.
And usually there is some way around it anyway
- Jouni
12-06-2012 01:25 PM
Robert,
At the end the ASA is not your best option to block based on URL's. A URL filtering device such as websense is your best option, I know it is expensive however it is design for this type of blocking.
Regards,
Juan Lombana
Please rate helpful posts.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide