02-26-2013 12:03 AM - edited 03-11-2019 06:05 PM
hi,
Now, i want to block some websites in cisco asa 5510 and in want to block key word like "sex", "game",..how can i config it?
help?
Solved! Go to Solution.
02-27-2013 05:32 AM
Nguyen,
You can use access list to block a range or a IP address. The following access list that uses object groups restricts several hosts on the inside network from accessing several web servers. All other traffic is allowed.
hostname(config)# access-list ACL_IN extended deny tcp object-group denied object-group web eq www
hostname(config)# access-list ACL_IN extended permit ip any any
hostname(config)# access-group ACL_IN in interface inside
Regards,
Juan Pablo LombanaPlease rate helpful posts.
02-26-2013 05:02 AM
Hello Nyugen,
you can block URL's using regex:
Facebook:
!-----------/ Begin Output /-----------!
regex domainlist1 "\.youtube\.com"
access-list inside_mpc extended permit tcp any any eq www
class-map type regex match-any DomainBlockList
match regex domainlist1
class-map type inspect http match-all BlockDomainsClass
match request header host regex class DomainBlockList
class-map httptraffic
match access-list inside_mpc
policy-map type inspect http http_inspection_policy_blockdomains
parameters
protocol-violation action drop-connection
class BlockDomainsClass
reset log
policy-map global_policy
class httptraffic
inspect http http_inspection_policy_blockdomains
!------------/ End Output /------------!
Youtube:
!-----------/ Begin Output /-----------!
regex youtube "[Yy][Oo][Uu][Tt][Uu][Bb][Ee]\.[Cc][Oo][Mm]"
class-map type regex match-any block
match regex youtube
policy-map type inspect http http-pol
parameters
match request header host regex class block
reset log
match request header referer regex class block
reset log
policy-map global_policy
class inspection_default
inspect http http-pol
!------------/ End Output /------------!
I hope it helps.
Juan Lombana
Please rate helpful posts.
02-26-2013 08:31 PM
Thank you so much!
so, I want to block a range IP or a IP address? what can i do?
02-27-2013 05:32 AM
Nguyen,
You can use access list to block a range or a IP address. The following access list that uses object groups restricts several hosts on the inside network from accessing several web servers. All other traffic is allowed.
hostname(config)# access-list ACL_IN extended deny tcp object-group denied object-group web eq www
hostname(config)# access-list ACL_IN extended permit ip any any
hostname(config)# access-group ACL_IN in interface inside
Regards,
Juan Pablo LombanaPlease rate helpful posts.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide