Solved: Blocking websites with ASA

networker99 · ‎08-31-2011

I understand the ASA has limited functionality with website blocking, and that you have to create regular expressions. If you do this is it possible to create groups for the regular expressions? for example certain MAC addresses can get to all websites but others are restricted from some.

Maykol Rojas · ‎08-31-2011

Hello,

Not really with mac-address but with IPs. You will match the hosts using ACLS.

Thanks.

Mike

View solution in original post

Maykol Rojas · ‎08-31-2011

Correct! Only the IP addresses under urlfilter will be hitting this policy.

Mike Rojas

Security Technical Lead

Mike

View solution in original post

Maykol Rojas · ‎08-31-2011

Hello,

Not really with mac-address but with IPs. You will match the hosts using ACLS.

Thanks.

Mike

networker99 · ‎08-31-2011

Thank you for your reply, please could you post an example?

Maykol Rojas · ‎08-31-2011

Here it goes:

access-list urlfilter permit tcp host x.x.x.x any eq 80

class-map httptraffic

match access-list urlfilter

regex domainlist3 "\.facebook\.com"

class-map type regex match-any DomainBlockList

match regex domainlist3

class-map type inspect http match-all BlockDomainsClass

match request header host regex class DomainBlockList

policy-map type inspect http http_inspection_policy

class BlockDomainsClass

reset log

policy-map inside-policy

class httptraffic

inspect http http_inspection_policy

service-policy inside-policy interface inside

If you denote, it is the same configuration posted here

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940e04.shtml

However, the only thing you need to modify is the class map called http traffic, which has the host that are going to match this policy.

Hope it helps.

Mike

networker99 · ‎08-31-2011

okay great, so 2 questions.. would the following work? and am I correct in assuming that only those IP addresses listed in "urlfilter' will be subject to the filtering? and all others will be permitted?

access-list urlfilter permit tcp host 192.168.1.50 any eq 80

access-list urlfilter permit tcp host 192.168.1.51 any eq 80

access-list urlfilter permit tcp host 192.168.1.52 any eq 80

access-list urlfilter permit tcp host 192.168.1.53 any eq 80

class-map httptraffic

match access-list urlfilter

regex domainlist1 "\.facebook\.com"

regex domainlist2 "\.twitter\.com"

regex domainlist3 "\.myspace\.com"

regex domainlist4 "\.youtube\.com"

class-map type regex match-any DomainBlockList

match regex domainlist1

match regex domainlist2

match regex domainlist3

match regex domainlist4

class-map type inspect http match-all BlockDomainsClass

match request header host regex class DomainBlockList

policy-map type inspect http http_inspection_policy

class BlockDomainsClass

reset log

policy-map inside-policy

class httptraffic

inspect http http_inspection_policy

service-policy inside-policy interface inside

Maykol Rojas · ‎08-31-2011

Correct! Only the IP addresses under urlfilter will be hitting this policy.

Mike Rojas

Security Technical Lead

Mike

networker99 · ‎08-31-2011

Great, and the config looked okay? also rather than individual IPs, can I specify a subnet in the urlfilter list?

Maykol Rojas · ‎08-31-2011

Hi,

Yes, it does look ok, you can specify subnets there too. In case you need to allow just one host on a subnet, you can also include a deny statement on that same access list so that one single host is not affected but the rest of the subnet is.

Mike

networker99 · ‎08-31-2011

Great, thanks