Blocking specific URL(using IP Address) with ASA Firewall Access list

sreeraj.murali · ‎10-29-2017

Hi Experts,

Is it possible to block only certain Internet URLs using their IP address and permit all other(ANY) Internet URLs using ASA Firewall. Can you help me with the ACL statements if possible?

Please comment

Thanks

Sreeraj

yongaik · ‎10-30-2017

you resolve (ping or nslookip) those URL to their IP addresses, then just apply it a permitted destination in the ACL policies. That basically the way.

But It is also a very unreliable way as many URL (actually FQDN) are hosted/fronted by CDN caches in the internet which mean they use quite a number of different ip addresses (of different subnet blocks). Many of them also quite dynamic (change frequently) in natural so trying to manually tracked it is not reliable mostly. The right way to block destination by URL should be performed on your web security gateway (i.e forward we proxy) instead.

sreeraj.murali · ‎10-30-2017

Ok. Thanks for the comment. Agree with you, to add a permit statement for allowing specific URL.
however, if I want to deny access to certain URLS and permit to rest of all URLs, how can I achieve it. I am thinking the possibility of blocking access to Facebook, Youtube and streaming video websites, and allowing access to all other Internet URLs. Please help.

Karsten Iwen · ‎10-30-2017

You could better achieve that with the URL-filtering capabilities on a NGFW like Cisco Firepower or Meraki MX.

You can try FQDN-based ACLs:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/firewall/asa-96-firewall-config/access-objects.html#ID-2122-0000001f

https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/firewall/asa-96-firewall-config/access-acls.html#ID-2069-00000206

sreeraj.murali · ‎10-30-2017

Thanks Karsten Iwen, Sure I will explore.

I did this(ATTACHED IN THE SCREENSHOT ATTACHED) as a temporary work around, hope this is valid.

Please comment your expert inputs.