Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1910
Views
0
Helpful
6
Replies

Blocking URL and Instant Messenger

anthony.dyne
Level 1
Level 1

‎05-12-2011 06:20 AM - edited ‎03-11-2019 01:32 PM

Hi

Can  we block websites and messenger on Cisco ASA 5520 running code 8.2 ,  we are looking to block facebook.com , yahoo.com , twitter.com , msn messenger, yahoo messenger, google talk and messenger. All Internet traffic from users are passing via the firewall and for 20 users on this site we do not have microsoft ISA or bluecoat.

plz support with config example.

thanks

anthony

Labels:
0 Helpful
6 Replies 6

varrao
Level 10
Level 10

‎05-12-2011 06:29 AM

Anthony,

Yes URL can be blocked, here is the doc for it:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940e04.shtml

But I would not suggest blocking IM's from ASA, because ASA is not a scalable device, moreover the new IM's taht we have woudl always keep chnaging the ports so it becomes difficult to block any Im traffic as request come from different port everytime. I would suggest any othetr device like IPS for it.

Thanks,

Varun

Thanks,
Varun Rao
0 Helpful

varrao
Level 10
Level 10
In response to varrao

‎05-12-2011 06:35 AM

Anthony,


Msn message is encapsulated in HTTP and not native msn-messenger message which 'inspect im' deals with. 
so'inspect im' will not work as it only work on native msn messenger message.  Using 'inspect http' is the only way and it will introduce
additional latency since it has to do a lot more lookups in the payload.'inspect im' on the other hand 
only looks the first few bytes in the tcp payload for the signature.
ASA will not be able to block such applications as these are very dynamic, if tunneled over 443 this is
entirely impossible.
ASA is not a scalable model/device to block IMs he requires IPS/IDS that does extensive application 
payload inspection and is a device suited for this type

Let me know if this answers your query 

Thanks,
Varun
Thanks,
Varun Rao
0 Helpful

sean_evershed
Level 7
Level 7
In response to varrao

‎05-12-2011 07:03 AM

Hi, you can use HTTP inspection to block the web sites you listed above if they are using port 80.

However it will not block https://twitter.com/ and https://www.facebook.com/. The ASA is unable to inpsect encrypted traffic.

One solution to the HTTPS problem is to write an ACL that will deny access to all the public IPs owned by these companies.

Be aware however that they own significant amount of address space.

If you are not careful therefore you could block some legitimate business sites that are using some of these addresses.

0 Helpful

anthony.dyne
Level 1
Level 1
In response to varrao

‎05-12-2011 07:02 AM

Hi

To get IPS enabled on ASA 5520, do I need to add license to it.

0 Helpful

varrao
Level 10
Level 10
In response to anthony.dyne

‎05-12-2011 07:08 AM

Anthony,

You don't need any license on the ASA for using IPS, but yes on the IPS itself you would require a license.

Here is config guide for IPS:

http://www.cisco.com/en/US/docs/security/ips/5.0/configuration/guide/cli/clissm.html

Thanks,

Varun

Thanks,
Varun Rao
0 Helpful

sean_evershed
Level 7
Level 7
In response to anthony.dyne

‎05-12-2011 07:09 AM

You need to purchase a hardware module: http://www.cisco.com/en/US/products/ps6825/index.html

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card