"limited internet" mean the ip range (range 192.168.172.21 192.168.172.254) don't access full internet, they can access some website like "https://supportforums.cisco.com", email

Then you must use:

Regex with HTTP inspection or DNS inspection

Example blocking facebook via HTTP inspection

regex block_url facebook.com

access-list TEST extended permit tcp any any eq www (modify this to match

the subnet)

class-map type regex match-any block_url

match regex block_url

class-map http-80

match access-list TEST

policy-map type inspect http block_url_facebook

parameters

match request header host regex class block_url

drop-connection log

policy-map global_policy

class http-80

inspect http block_url_facebook

Or an ACL with FQDN...

http://blog.networkbits.es/?p=507

That basically would be your options on this scenario

Hello Jcarvaja,

If i want to block many webpages i create a lot of lines, it's not ok.

I mean, whitelist <

Get a webfilter, HTTP proxy or a CSC module for the asa.

Hello,

You have many options to filter HTTP/HTTPS traffic on an ASA .

If you do not want do do it manually as I said before then you can use the CSC module , a websense server, the scansafe services, the botnet whitelist/blacklist option

I mean it's all up to you....

You can use only one nat statement for the whole subnet and use acls to limit the traffic the addresses in that range can send/receive.

If you want to allow/permit some websites, you can use URL filtering. The email thing can be done with just acls.

Hello jcarvaja,

ASA5510(config)# object network FULL-IP-INTERNET                                                                            

ASA5510(config-network-object)# range 192.168.172.1 192.168.172.20

ASA5510(config-network-object)# nat (inside,outside) source dynamic any interface

ASA5510(config)# access-list inside_in permit ip object FULL-IP-INTERNET any

ASA5510(config)# object network DENY-IP-INTERNET                                                                            

ASA5510(config-network-object)# range 192.168.172.21 192.168.172.254

ASA5510(config-network-object)# nat (inside,outside) source dynamic any interface

ASA5510(config)#access-list Inside_in permit tcp object DENY-IP-INTERNET any eq 80

ASA5510(config)#access-list inside_access_out permit tcp any any eq 25

ASA5510(config)#access-list inside_access_out permit tcp any any eq 110

ASA5510(config)#access-list Inside_in deny ip  object DENY-IP-INTERNET any

ASA5510(config)#access-group Inside_in in interface inside

Is this right?

Additional, i want IPs in"DENY-IP-INTERNET" zone to open 2 webpages like: cisco.com, flpvn.com. How can i config them?

Hello Nguyen,

For that and to make it simple you can configure FQDN:

In this scenario let's say we are going to use 4.2.2.2 as the ASA dns server..

domain-name test.com

dns domain-lookup outside

DNS server-group DefaultDNS

    name-server 4.2.2.2

    domain-name csc.com

Then

object network host-Cisco.com

fqdn cisco.com

object network host-flvpn.com

fqdn flvpn.com

access-list Inside_in line 1 permit tcp any object host-Cisco.com

access-list Inside_in line 2 permit tcp any object host-flvpn.com

access-list Inside_in line 3 deny ip object DENY-IP-INTERNET any

access-list Inside_in line 4 permit ip any any

access-group Inside_in in interface inside

Hey Nguyen please check your inbox here on the CSC, I have sent you a message

Regards

Julio Carvajal