Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2876
Views
10
Helpful
5
Replies

Blocking a Particular URL using FQDN objects on ASA 5506-x

eurixjaneth1
Level 1
Level 1

‎01-20-2017 09:42 AM - edited ‎03-12-2019 01:48 AM

Hi guys, need a clue about

I have an asa 5506-X that is running the next version 
Cisco Adaptive Security Appliance Software Version 9.6(1)
Device Manager Version 7.6(1)

I am blocking URLs using FQDN objects, and it is working, but I have problems with facebook.com.  I can access to the website intermittenly, and the users experimented problems with google complements.

dns domain-lookup outside
dns domain-lookup inside
DNS server-group DefaultDNS
name-server  IPdnsinterno
name-server  IPproveedor

access-list ACL-INSIDE; 5 elements; name hash: 0xfb5f17a8
access-list ACL-INSIDE line 1 extended deny ip any object OBJ-FACEBOOK.COM (hitcnt=57) 0x10988964
access-list ACL-INSIDE line 1 extended deny ip any fqdn facebook.com (resolved) 0xaf2d4651
access-list ACL-INSIDE line 1 extended deny ip any host 31.13.73.36 (facebook.com) (hitcnt=57) 0x10988964
access-list ACL-INSIDE line 2 extended deny ip any object OBJ-YOUTUBE.COM (hitcnt=23714) 0x9e8d44e3
access-list ACL-INSIDE line 2 extended deny ip any fqdn youtube.com (resolved) 0xa3337447
access-list ACL-INSIDE line 2 extended deny ip any host 216.58.219.78 (youtube.com) (hitcnt=23714) 0x9e8d44e3
access-list ACL-INSIDE line 3 extended permit ip any any (hitcnt=36658) 0x2ed1288c

Labels:
0 Helpful
5 Replies 5

eurixjaneth1
Level 1
Level 1

‎01-20-2017 12:56 PM

I have to change the acl, but  the  problem continues. And I can access to youtube.com always

access-list ACL-INSIDE; 9 elements; name hash: 0xfb5f17a8
access-list ACL-INSIDE line 1 extended permit ip any object OBJ-MailGOOGLE.COM (hitcnt=69) 0x5fae880c
access-list ACL-INSIDE line 1 extended permit ip any fqdn mail.google.com (resolved) 0x3e2c97d1
access-list ACL-INSIDE line 1 extended permit ip any host 216.58.219.69 (mail.google.com) (hitcnt=69) 0x5fae880c
access-list ACL-INSIDE line 2 extended permit ip any object OBJ-adminGOOGLE.COM (hitcnt=156) 0x5bd1f802
access-list ACL-INSIDE line 2 extended permit ip any fqdn admin.google.com (resolved) 0x47e3a396
access-list ACL-INSIDE line 2 extended permit ip any host 216.58.219.78 (admin.google.com) (hitcnt=156) 0x5bd1f802
access-list ACL-INSIDE line 3 extended deny ip any object OBJ-FACEBOOK.COM (hitcnt=18) 0x10988964
access-list ACL-INSIDE line 3 extended deny ip any fqdn facebook.com (resolved) 0xaf2d4651
access-list ACL-INSIDE line 3 extended deny ip any host 31.13.73.36 (facebook.com) (hitcnt=18) 0x10988964
access-list ACL-INSIDE line 4 extended deny ip any object OBJ-YOUTUBE.COM (hitcnt=0) 0x9e8d44e3
access-list ACL-INSIDE line 4 extended deny ip any fqdn youtube.com (resolved) 0xa3337447
access-list ACL-INSIDE line 4 extended deny ip any host 216.58.219.78 (youtube.com) (hitcnt=0) 0x9e8d44e3
access-list ACL-INSIDE line 5 extended permit ip any any (hitcnt=6050) 0x2ed1288

0 Helpful

Rahul Govindan
VIP Alumni
VIP Alumni
In response to eurixjaneth1

‎01-21-2017 04:20 PM

The DNS based access-list is dependent on the ASA resolving the FQDN to an ip address. Now for sites that have multiple ip address (facebook.com), it could be possible that the ASA resolves the name to one ip address while the user resolves it to another ip address. Can you check if this is the case by running a Wireshark capture on your PC while testing? You can then see the ip address to which the PC is sending traffic to Facebook vs what is showing up on the ASA.

Moreover, sites these days use different components that office access different sub-sites, all of which is difficult to keep track off and block.

On a side note, the FQDN based ACL is not the best way to do URL filtering, one of the reasons for that is what I mentioned above. If you are looking are completing blocking sites based on URL, the Firepower on ASA or a separate WSA solution is more complete solution. You may want to read some of the other gotcha's with this method here:

https://supportforums.cisco.com/document/66011/using-hostnames-dns-access-lists-configuration-steps-caveats-and-troubleshooting#Limitations_of_the_Feature

eurixjaneth1
Level 1
Level 1
In response to Rahul Govindan

‎01-23-2017 06:21 AM

At first I tried to block a Particular URL with FirePOWER Services using ASDM, but is not working

The sfr module is running the next version
Mod  SSM Application Name           Status           SSM Application Version
---- ------------------------------ ---------------- --------------------------
 sfr ASA FirePOWER                  Up               6.0.0-1005
Mod  Status             Data Plane Status     Compatibility
---- ------------------ --------------------- -------------
   1 Up Sys             Not Applicable
 sfr Up                 Up
ciscoasa#
I have only the protection and control license enabled.
I am blocking some urls with firepower services and then I commit and deploy the changes on the Access Control policy; the task status is completed. But  I can still access  to the blocked urls since the source networks. 
I don't have a server to install  the FireSight. And I  would like to use only asdm. I  am following the steps on the link bellow  (blocking a Particular URL with FirePOWER Services)
0 Helpful

Rahul Govindan
VIP Alumni
VIP Alumni
In response to eurixjaneth1

‎01-23-2017 08:25 AM

Yeah you don't need to have URL filtering license to do object based URL filtering. And as you can see in the guide you pasted, the Firepower can be managed by ASDM to configure the rules. What was the object that you created for the URL filtering?

eurixjaneth1
Level 1
Level 1
In response to Rahul Govindan

‎01-23-2017 10:00 AM

I add the reference objects, url from the access control policy.

Preview file
227 KB
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card