01-20-2017 09:42 AM - edited 03-12-2019 01:48 AM
Hi guys, need a clue about
I am blocking URLs using FQDN objects, and it is working, but I have problems with facebook.com. I can access to the website intermittenly, and the users experimented problems with google complements.
dns domain-lookup outside
dns domain-lookup inside
DNS server-group DefaultDNS
name-server IPdnsinterno
name-server IPproveedor
access-list ACL-INSIDE; 5 elements; name hash: 0xfb5f17a8
access-list ACL-INSIDE line 1 extended deny ip any object OBJ-FACEBOOK.COM (hitcnt=57) 0x10988964
access-list ACL-INSIDE line 1 extended deny ip any fqdn facebook.com (resolved) 0xaf2d4651
access-list ACL-INSIDE line 1 extended deny ip any host 31.13.73.36 (facebook.com) (hitcnt=57) 0x10988964
access-list ACL-INSIDE line 2 extended deny ip any object OBJ-YOUTUBE.COM (hitcnt=23714) 0x9e8d44e3
access-list ACL-INSIDE line 2 extended deny ip any fqdn youtube.com (resolved) 0xa3337447
access-list ACL-INSIDE line 2 extended deny ip any host 216.58.219.78 (youtube.com) (hitcnt=23714) 0x9e8d44e3
access-list ACL-INSIDE line 3 extended permit ip any any (hitcnt=36658) 0x2ed1288c
01-20-2017 12:56 PM
I have to change the acl, but the problem continues. And I can access to youtube.com always
access-list ACL-INSIDE; 9 elements; name hash: 0xfb5f17a8
access-list ACL-INSIDE line 1 extended permit ip any object OBJ-MailGOOGLE.COM (hitcnt=69) 0x5fae880c
access-list ACL-INSIDE line 1 extended permit ip any fqdn mail.google.com (resolved) 0x3e2c97d1
access-list ACL-INSIDE line 1 extended permit ip any host 216.58.219.69 (mail.google.com) (hitcnt=69) 0x5fae880c
access-list ACL-INSIDE line 2 extended permit ip any object OBJ-adminGOOGLE.COM (hitcnt=156) 0x5bd1f802
access-list ACL-INSIDE line 2 extended permit ip any fqdn admin.google.com (resolved) 0x47e3a396
access-list ACL-INSIDE line 2 extended permit ip any host 216.58.219.78 (admin.google.com) (hitcnt=156) 0x5bd1f802
access-list ACL-INSIDE line 3 extended deny ip any object OBJ-FACEBOOK.COM (hitcnt=18) 0x10988964
access-list ACL-INSIDE line 3 extended deny ip any fqdn facebook.com (resolved) 0xaf2d4651
access-list ACL-INSIDE line 3 extended deny ip any host 31.13.73.36 (facebook.com) (hitcnt=18) 0x10988964
access-list ACL-INSIDE line 4 extended deny ip any object OBJ-YOUTUBE.COM (hitcnt=0) 0x9e8d44e3
access-list ACL-INSIDE line 4 extended deny ip any fqdn youtube.com (resolved) 0xa3337447
access-list ACL-INSIDE line 4 extended deny ip any host 216.58.219.78 (youtube.com) (hitcnt=0) 0x9e8d44e3
access-list ACL-INSIDE line 5 extended permit ip any any (hitcnt=6050) 0x2ed1288
01-21-2017 04:20 PM
The DNS based access-list is dependent on the ASA resolving the FQDN to an ip address. Now for sites that have multiple ip address (facebook.com), it could be possible that the ASA resolves the name to one ip address while the user resolves it to another ip address. Can you check if this is the case by running a Wireshark capture on your PC while testing? You can then see the ip address to which the PC is sending traffic to Facebook vs what is showing up on the ASA.
Moreover, sites these days use different components that office access different sub-sites, all of which is difficult to keep track off and block.
On a side note, the FQDN based ACL is not the best way to do URL filtering, one of the reasons for that is what I mentioned above. If you are looking are completing blocking sites based on URL, the Firepower on ASA or a separate WSA solution is more complete solution. You may want to read some of the other gotcha's with this method here:
https://supportforums.cisco.com/document/66011/using-hostnames-dns-access-lists-configuration-steps-caveats-and-troubleshooting#Limitations_of_the_Feature
01-23-2017 06:21 AM
At first I tried to block a Particular URL with FirePOWER Services using ASDM, but is not working
01-23-2017 08:25 AM
Yeah you don't need to have URL filtering license to do object based URL filtering. And as you can see in the guide you pasted, the Firepower can be managed by ASDM to configure the rules. What was the object that you created for the URL filtering?
01-23-2017 10:00 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide